[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: the deadly hypercube of death, or: handling permissions
From: |
Marcus Brinkmann |
Subject: |
Re: the deadly hypercube of death, or: handling permissions |
Date: |
Thu, 27 Apr 2006 18:37:39 +0200 |
User-agent: |
Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI) |
At Thu, 27 Apr 2006 16:24:01 +0200,
Ludovic Courtès <address@hidden> wrote:
> > For directories, it's a bit more complex, if we want to support
> > restrictions like "transitive read-only" (all capabilities fetched
> > through the directory are downgraded) and "opaque" (all _directory_
> > capabilities fetched through the directory are downgraded to opaque,
> > which implies read-only, but leaf nodes are not). A directory may
> > thus have "writable", "read-only", "transitive read-only" and
> > "opaque", but they are all mutually exclusive (or rather: the latter
> > two imply read-only, so there are really only 4 states).
>
> I assume you're talking about "directories" within a file system, right?
>
> I tend to think that Unixish and file-system-related object types are
> not so good when reasoning about composition, capabilities, etc.
> Some of these abstractions are too large, encompass various unrelated
> concerns, etc. Furthermore, they are not that crucial in a persistent
> system. ;-)
>
> For instance, the file abstraction could certainly be separated into
> various data types: currently, a file is a structure that associates
> an octet stream with a name, various meta-data, a user ID, permission
> bits, etc. An "open file" (or "file handle") aggregates some more
> information: offset, open mode, buffering type, etc.
>
> Similarly, a non-file-system-style "directory" abstraction would just
> bind names to directories or other arbitrary objects, not just files (the
> current Hurd already permits that but the interfaces are still very
> file-system-oriented). Thus, "read-only" permission does not make much
> sense in this context. Read/write permissions just makes sense for "file"
> objects.
A directory has lookup, which would require read capabilities, and
link, which would require write capabilities. I think it is useful to
give some programs only lookup/read access to a directory and not
link/write access.
> > Some objects will probably not have any permissions at all, for
> > example server "master" capabilities.
>
> What do you call "master" capabilities? Sorry if I missed the relevant
> thread/wiki page.
Currently, the file server "master" capability supports one call
(beside the usual ones): files_create_file. Ie, it is what allows you
to create new file objects.
Similar for directory server, pipe server, etc.
Thanks,
Marcus
- Re: Physical access without ultimate power? (was Re: Design principles and ethics (was [...]))), (continued)
- Re: Physical access without ultimate power? (was Re: Design principles and ethics (was [...]))), Bas Wijnen, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Marcus Brinkmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Marcus Brinkmann, 2006/04/30
- Re: the deadly hypercube of death, or: handling permissions, Jonathan S. Shapiro, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Marcus Brinkmann, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Ludovic Courtès, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Marcus Brinkmann, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Ludovic Courtès, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Tom Bachmann, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions, Ludovic Courtès, 2006/04/27
- Re: the deadly hypercube of death, or: handling permissions,
Marcus Brinkmann <=
- Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Pierre THIERRY, 2006/04/27
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Marcus Brinkmann, 2006/04/27
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Pierre THIERRY, 2006/04/27
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Marcus Brinkmann, 2006/04/27
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Pierre THIERRY, 2006/04/28
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Marcus Brinkmann, 2006/04/28
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Bas Wijnen, 2006/04/28
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Jonathan S. Shapiro, 2006/04/28
- Ethics (was: Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Marcus Brinkmann, 2006/04/28
- Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions), Marcus Brinkmann, 2006/04/28