Page 1 of 1
Capabiliities
Posted: Sun Nov 01, 2020 10:44 am
by PeterX
OK, we have discussed capabilities here:
viewtopic.php?f=15&t=37387
viewtopic.php?f=15&t=36596
But I still don't know why access control lists aren't capabilities.
And is there a simple pseudo-code algorithm for managing capabilities?
Greetings
Peter
Re: Capabiliities
Posted: Sun Nov 01, 2020 10:46 am
by Korona
Responding to Schol-R-LEA here: you are of course correct that ACLs (and UNIX permissions) are an entirely different model than capabilities. I should have expressed my point more clearly: the file descriptor is a capability, the file on the file system is not! In UNIX, there are no ACL checks on file descriptors. If you have the file descriptor, you have the right to access the corresponding resource (and that's exactly the definition of a capability - a handle that allows access to a resource).
EDIT, @PeterX: in a capability-based system, you can access a resource whenever you have a handle to it. In a ACL-based design, on the other hand, you perform a permission check before accessing the resource.
Re: Capabiliities
Posted: Sun Nov 01, 2020 11:31 am
by PeterX
Korona wrote:EDIT, @PeterX: in a capability-based system, you can access a resource whenever you have a handle to it. In a ACL-based design, on the other hand, you perform a permission check before accessing the resource.
Ah, ok. Thanks.
So a capability is like a handle or (file) descriptor or maybe like a key.
And ACL is the bigger brother of file permissions, I guess.
And a C-list is simply an number-index referring to capabilities, do I understand that right?
https://en.wikipedia.org/wiki/C-list_(c ... _security)
Greetings
Peter