On Tue, 2005-10-11 at 22:23 +0200, Marcus Brinkmann wrote: > So, very losely, in the Hurd, the filesystem acts in the role of an > EROS constructor. Clearly, the EROS solution is more generic, and > abstracted. In the Hurd, this is just handled as a special case in > the filesystem for the suid case.
>From your description, this sounds right. Here is another small difference. It is not important for understanding the constructor concept, but it is important for security: If all of this function is gathered in the file system, the file system does not satisfy the concept of "least privilege." The idea of "least privilege" is not an absolute idea, but it is an excellent design rule in practice. I would add a second: As the amount of authority managed by a process rises, the complexity of the actions performed by that process really wants to be simplified. That is: if you *do* need to manage some complex permissions issue, keep the managing code simple so that you don't screw it up. Finally: this is a place where persistence changes your point of view. In Hurd, where persistence is (currently) not available, the only place that you really *could* put this function is in the file system. In EROS, where a process can continue running across system shutdown, it becomes easier to bundle the authority into more fine-grain divisions (the constructors). shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
