On Tue, 28 Sep 2010 09:33:33 BST Robert Watson <[email protected]> wrote: > About ten years ago, I experimented with delegating UNIX privileges using file > descriptors ("tokens"), but wasn't satisfied with the composition properties, > so didn't reuse the idea in Capsicum. In particular, the existing file > descriptor behaviour of UNIX seems to align well with capability concepts in a > way likely to work well with current applications (not a coincidence, of > course, but hence using that as the starting point in Capsicum), whereas many > existing UNIX programs have strong notions of manipulating privilege using > UIDs rather than as file rights. While it seemed that correct usage was > likely possible, the potential for something catastrophic was worrying.
To me the notions of file descriptors and capabilities align so well that I would've considered mapping UIDs into this scheme somehow. Did you consider something like that? Mapping UIDs to a userfs or even a special kind of pre-opened "file" descriptors?
