[Python-Dev] Re: rexec.py unuseable
Nick Coghlan
ncoghlan at iinet.net.au
Wed Dec 17 07:20:17 EST 2003
Luke Kenneth Casson Leighton wrote:
> i'd like to introduce you to a new concept which is idential
> in form to an ACL - access control list - except that instead
> of "users" being allowed or denied access to perform certain
> operations you have instead _functions_ being allowed or
> denied access to perform certain operations.
I don't think this discussion is going to get anywhere until you _do_
take the time to understand the difference between the model you are
proposing and the capability model that seemed to be preferred the last
time executing untrusted Python code safely was discussed.
ONE LINE SUMMARIES
ACL/CCL/whatever you want to call it:
Access the feature, then have permission either granted or denied
Capabilities:
If you can access it, you have permission to use it.
If you aren't allowed to use it, you won't even be able to see it.
Below is my attempt at explaining in more detail the difference between
the two as I understand it. I must admit I am quite curious about the
fact that you seem to have plenty of time to _write_ about your
proposal, but no time to listen to some quite reasonable responses.
ACCESS CONTROL LISTS
An access control list is neutral to what a 'user' is, so I'll switch to
the term 'Entity' instead. The important part is that it is a mapping:
"Entity X is allowed to perform action Y on other Entity Z".
It serves as a post hoc check - _after_ Entity X tries to do Y to Z, the
control list for Y & Z is checked, then X is either allowed to proceed,
or told to rack off, depending on what the control list reports. That
is, just because X _can_ try to perform action Y on Z (the relevant
method or whatever is accessible to X), doesn't mean that X _may_
perform action Y (the control list grants permission to X).
With control lists, the concepts of access to a feature, and permission
to use that feature, are handled separately. E.g. I can try to delete
the windows directory on my machine at work (I have access to that
directory, and access to the delete command), but I'm not an
administrator, so the attempt will fail (I don't have permission to
delete that directory). This is exactly what you are describing, even
though the users are 'functions' rather than 'logged in users'.
CAPABILITIES
Capabilities work differently. Instead of applying a post-hoc check that
slows down _every_ attempt to perform an action, they unify the concepts
of 'can' and 'may'. If X is able to express the command "do Y to Z",
then X is also _permitted_ to do Y to Z. No post-hoc checks required.
For example, suppose I wasn't allowed to open writable files.
I call:
>>> target = file("myfile.txt", "w")
With ACL's, I would get an error along the lines of:
AccessDenied: No permission to open writable files
With capabilities, I would get an error along the lines of:
InvalidArgument: "w" is not a recognised file mode
Does this make any more sense?
Cheers,
Nick.
--
Nick Coghlan | Brisbane, Australia
Email: ncoghlan at email.com | Mobile: +61 409 573 268
More information about the Python-Dev
mailing list