[Python-Dev] Re: Capabilities
Guido van Rossum
Sun, 09 Mar 2003 20:10:36 -0500
> 3. A standard library that follows the Principle of Least
> Privilege. That is, a library full of tools that you can extend to
> an object in order to empower it to do specific things
> (e.g. __builtin__.abs(), os.times(), ...) without thereby also
> empowering it to do other things (e.g. __builtin__.file(),
> os.system(), ...). Python doesn't have such a library.
> Now the Principle of Least Privilege approach to making a library
> safe is very different from the "sandbox" approach. The latter is
> to remove all "dangerous" tools from the toolbox (or in our case, to
> have them dynamically disabled by the "restricted" bit which is
> determined by an overridable policy). The former is to separate the
> tools so that dangerous ones don't come tied together with common
> ones. The security policy, then, is expressed by code that grants
> or withholds capabilities (== references) rather than by code that
> toggles the "restricted" bit.
This sounds interesting, but I'm not sure I follow it. Can you
elaborate by giving a couple of examples?
> Of course, you can start by denying the entire standard library to
> restricted code, and then incrementally refactor the library or wrap
> it in Least-Privilege wrappers.
> Until you have a substantial Least-Privilege-respecting library you
> can't gain the big benefit of capabilities -- code which is capable
> of doing something useful without also being capable of doing harm.
> (You can gain the "sandbox" style of security -- code which is
> incapable of doing anything useful or harmful.)
> This requirement also means that there can be no "ambient authority"
> -- authority that an object receives even if its creator has given
> it no references.
Again, I would perhaps understand this if you gave a specific
example. Is it like suid in Unix?
> P.S. I learned this three-part paradigm from Mark Miller whose
> paper with Chip Morningstar and Bill Frantz articulates it in more
The paper didn't seem immediately relevant, or perhaps it's too
long-winded and I gave up before it touched upon the relevant
--Guido van Rossum (home page: http://www.python.org/~guido/)