[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: adding/subtracting permissions ??

The last paragraph of Ron's comments have the clarity and precision I think
we need to help people avoid mistakes.  Some of the previous paragraphs
provide examples which help flesh it out.  Well spoken Ron.

At 1:45 PM -0800 4/7/97, Ron Rivest wrote:
>The way I think about tags is the following:
>	Each tag is either *-free (containing no *-forms), or not.
>	Each *-free tag is supposed grant a specific permission.
>	A tag containing *-forms stands for a SET of *-free forms, and
>	so grants a SET of corresponding specific permissions.
>If you try to have "negative authorization", then you can get into
>trouble, independent of *-forms.  For example, following Tony's
>example below, you might have a tag
>	(exec-ok <program> <file>)
>	(exec-ok P F)
>which is intended to mean: "You have permission to run program
>P as long as its input is not the file F."  Independent of *-forms, what is
>it supposed mean if I have two certificates:
>	(exec-ok P F)
>	(exec-ok P F')
>for two different files F and F'?  Clearly I can now run P on any
>program I like! (To apply P to F', I use the first certificate, and to
>apply it to F, I use the second.  For any other file, I can use either
>I think the problem you are proposing have little to do with *-forms, and
>arise from the "negative" nature of the authorization.  What does it mean
>to have two certificates:
>	(vacation-not-ok-on (* set Monday Tuesday))
>	(vacation-not-ok-on (* set Monday Wednesday))
>With these certificates, I can take a vacation on any day but Monday!
>But the *-free certificates
>	(vacation-not-ok-on Monday)
>	(vacation-not-ok-on Tuesday)
>	(vacation-not-ok-on Wednesday)
>are also problematic: I can take a vacation any day I like!  The problems
>arise from having multiple certificates (starred or not) that attempt
>to take away privileges, rather than grant them.
>"Negative authorizations" should just not be used.  Each *-free form
>should grant a specific (positive) authorization.  The *-forms just
>provide a short-hand for granting multiple authorizations at once, but
>don't really introduce any new issues.
>Ron Rivest

Bill Frantz       | I have taken a real job at | Periwinkle -- Consulting
(408)356-8506     | Electric Communities as a  | 16345 Englewood Ave.
frantz@netcom.com | capability security guru.  | Los Gatos, CA 95032, USA