[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: adding/subtracting permissions ??
The last paragraph of Ron's comments have the clarity and precision I think
we need to help people avoid mistakes. Some of the previous paragraphs
provide examples which help flesh it out. Well spoken Ron.
At 1:45 PM -0800 4/7/97, Ron Rivest wrote:
>The way I think about tags is the following:
>
> Each tag is either *-free (containing no *-forms), or not.
>
> Each *-free tag is supposed grant a specific permission.
>
> A tag containing *-forms stands for a SET of *-free forms, and
> so grants a SET of corresponding specific permissions.
>
>If you try to have "negative authorization", then you can get into
>trouble, independent of *-forms. For example, following Tony's
>example below, you might have a tag
> (exec-ok <program> <file>)
>e.g.
> (exec-ok P F)
>which is intended to mean: "You have permission to run program
>P as long as its input is not the file F." Independent of *-forms, what is
>it supposed mean if I have two certificates:
> (exec-ok P F)
> (exec-ok P F')
>for two different files F and F'? Clearly I can now run P on any
>program I like! (To apply P to F', I use the first certificate, and to
>apply it to F, I use the second. For any other file, I can use either
>certificate.)
>
>I think the problem you are proposing have little to do with *-forms, and
>arise from the "negative" nature of the authorization. What does it mean
>to have two certificates:
> (vacation-not-ok-on (* set Monday Tuesday))
> (vacation-not-ok-on (* set Monday Wednesday))
>With these certificates, I can take a vacation on any day but Monday!
>But the *-free certificates
> (vacation-not-ok-on Monday)
> (vacation-not-ok-on Tuesday)
> (vacation-not-ok-on Wednesday)
>are also problematic: I can take a vacation any day I like! The problems
>arise from having multiple certificates (starred or not) that attempt
>to take away privileges, rather than grant them.
>
>"Negative authorizations" should just not be used. Each *-free form
>should grant a specific (positive) authorization. The *-forms just
>provide a short-hand for granting multiple authorizations at once, but
>don't really introduce any new issues.
>
>Ron Rivest
-------------------------------------------------------------------------
Bill Frantz | I have taken a real job at | Periwinkle -- Consulting
(408)356-8506 | Electric Communities as a | 16345 Englewood Ave.
frantz@netcom.com | capability security guru. | Los Gatos, CA 95032, USA
References: