summaryrefslogtreecommitdiff
path: root/capability.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'capability.mdwn')
-rw-r--r--capability.mdwn40
1 files changed, 40 insertions, 0 deletions
diff --git a/capability.mdwn b/capability.mdwn
new file mode 100644
index 00000000..06d3cf4a
--- /dev/null
+++ b/capability.mdwn
@@ -0,0 +1,40 @@
+[[license text="""
+Copyright © 2007 Free Software Foundation, Inc.
+
+Permission is granted to copy, distribute and/or modify this document under the
+terms of the GNU Free Documentation License, Version 1.2 or any later version
+published by the Free Software Foundation; with no Invariant Sections, no
+Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included
+in the section entitled [[GNU_Free_Documentation_License|/fdl.txt]].
+
+By contributing to this page, you agree to assign copyright for your
+contribution to the Free Software Foundation. The Free Software Foundation
+promises to always use either a verbatim copying license or a free
+documentation license when publishing your contribution. We grant you back all
+your rights under copyright, including the rights to copy, modify, and
+redistribute your contributions.
+"""]]
+
+A capability is a protected reference. It is a reference in that
+it designates an object; it is protected in that in cannot be
+forged. A capabilities both designates the object it refers to and
+carries the authority to manipulate it.
+
+By binding [[designation]] and [[authorization]] together, capabilities
+simplify [[delegation]]. Imagine that program instance A wants to
+tell program B to use a particular file to store some data.
+Further imagine that A and B are running in different [[trust_domains]]
+(e.g., with different UIDs). If A sends B just the name
+of the file, B needs to first ensure that he does not accidentally
+enable A to access the file on his own authority. That is, B wants
+to protect against A hijacking his authority. (This problem is
+refused to the [[confused_deputy]] problem.) Also, since A likely
+sent a string to identify the file to B, the identifier lacks a
+[[naming_context]] and therefore may resolve to a different object
+than A intended. Be ensuring that [[designation]] and [[authorization]] are
+always bound together, these problems are avoided.
+
+Unix file descriptors can be viewed as capabilities. Unix file
+descriptors do not survive reboot, that is, they are not
+[[persistent|persistency]]. To work around this, [[ACL]]s are used to
+recover authority.
generated by cgit v1.2.3 (git 2.46.0) at 2025-03-02 05:15:32 +0000