Security-related things of Capabilities

Surging clouds

I really don't know how to call this question, so I have to write a little bit of information.

I saw an article yesterday)

Html? Utm_source = feedburner & utm_medium = feed & utm_campaign = Feed % 3A + YetAnotherDevelopersBlog + % 28Yet + Another + Developer % 27 s + Blog % 29 "target = _ blank> Is Role Based Access Control dead?

This section describes the impact of the Role-Based Access Control solution.
To initialize strate this point, consider the following situation.

You have just completed coding a wonderful project management application for Big Humungous Inc. that filled all the requirements, is unhackable, and even has a list of features far exceeding the clients requests. one day you recieve a call that your client is creating a special group of representatives that need to have administrative access to customer accounts that belong to Group A between 2 and 3 every Monday, wednesday, and Friday.

Now you have a problem. A role is an all-or-nothing access mechanic. so you cant just add the users to the Administrator Role, so your only option is to go back into the code and add a new check in the code that says am I in this role,AndDo I meet all these other requisites to do the requested action. Then you need to implement that code in every place where you wowould normally ask is the user an administrator?


There are more and more similar problems, and Role Based AC cannot meet more and more flexible requirements.

Therefore, the author proposes a Context-Based Access Control

However, I think this is a manifestation of Capability based Security.

There are two mainstream access control methods:Access Control List, One isCapabilities

On wikipedia, Capability based Security and POSIX Capabilities in Linux Kernel are separated, but I think they are similar in nature.

An important article about ACL and capabilities in EROS:

Comparing ACLs and Capabilities

For more information about Capabilities in Linux Kernel, see:

Taking Advantage of Linux Capabilities

Linux Capabilities FAQ 0.2

Introduction to Linux Capabilities and ACLs


Capabilities are mainly considered as a subject (which can be a user or process) ability to access objects (which can be files and other resources ).

In Linux Capablities, the object Descriptor and access permission identifier (such as RW) must be included.

Capabilities generally use technology to prevent forgery and tampering, which is a very special token.

For objects, only capabilities are recognized, and no persons are recognized. With this capabilities, you can access it.

This idea is often used

Confused deputy problem

To describe the limitations of the ACL.

The most famous example of confused deputy problem is CSRF.

So we can understand it very well. In the CSRF solution, we add an unpredictable token. CSRF wants to request the url and only checks whether the token is valid.

This token can be understood as a capability and the ability to access the data.

Back to the problem of Role based Access Control, the current flexibility requirements are increasingly difficult to meet. When I

WEB Application Security Design Philosophy

The "Horizontal permission Control" problem mentioned in shows the difficulty of Role Based Access Control.

Maybe we need to re-design a new access control system to solve this problem,

Capabilities Based Security brings a glimmer of light.

However, Capabilities also have their own problems, such as distribution, recycling, invalidation, sharing, and how to better and rationally manage capabilities will bring new challenges.