[Python-Dev] Re: rexec.py unuseable (original) (raw)

Nick Coghlan ncoghlan at iinet.net.au
Wed Dec 17 07:20:17 EST 2003

Luke Kenneth Casson Leighton wrote:

i'd like to introduce you to a new concept which is idential in form to an ACL - access control list - except that instead of "users" being allowed or denied access to perform certain operations you have instead functions being allowed or denied access to perform certain operations.

I don't think this discussion is going to get anywhere until you do take the time to understand the difference between the model you are proposing and the capability model that seemed to be preferred the last time executing untrusted Python code safely was discussed.

ONE LINE SUMMARIES

ACL/CCL/whatever you want to call it: Access the feature, then have permission either granted or denied

Capabilities: If you can access it, you have permission to use it. If you aren't allowed to use it, you won't even be able to see it.

Below is my attempt at explaining in more detail the difference between the two as I understand it. I must admit I am quite curious about the fact that you seem to have plenty of time to write about your proposal, but no time to listen to some quite reasonable responses.

ACCESS CONTROL LISTS An access control list is neutral to what a 'user' is, so I'll switch to the term 'Entity' instead. The important part is that it is a mapping: "Entity X is allowed to perform action Y on other Entity Z".

It serves as a post hoc check - after Entity X tries to do Y to Z, the control list for Y & Z is checked, then X is either allowed to proceed, or told to rack off, depending on what the control list reports. That is, just because X can try to perform action Y on Z (the relevant method or whatever is accessible to X), doesn't mean that X may perform action Y (the control list grants permission to X).

With control lists, the concepts of access to a feature, and permission to use that feature, are handled separately. E.g. I can try to delete the windows directory on my machine at work (I have access to that directory, and access to the delete command), but I'm not an administrator, so the attempt will fail (I don't have permission to delete that directory). This is exactly what you are describing, even though the users are 'functions' rather than 'logged in users'.

CAPABILITIES Capabilities work differently. Instead of applying a post-hoc check that slows down every attempt to perform an action, they unify the concepts of 'can' and 'may'. If X is able to express the command "do Y to Z", then X is also permitted to do Y to Z. No post-hoc checks required.

For example, suppose I wasn't allowed to open writable files.

I call:

target = file("myfile.txt", "w")

With ACL's, I would get an error along the lines of: AccessDenied: No permission to open writable files

With capabilities, I would get an error along the lines of: InvalidArgument: "w" is not a recognised file mode

Does this make any more sense?

Cheers, Nick.

-- Nick Coghlan | Brisbane, Australia Email: ncoghlan at email.com | Mobile: +61 409 573 268

More information about the Python-Dev mailing list