filenames with a '/' -- help

John F. Haugh II jfh at rpp386.cactus.org
Tue Feb 6 16:26:14 AEST 1990 

In article <25C7178C.6F8 at marob.masa.com> cowan at marob.masa.com (John Cowan) writes:
>Not quite.  What 'open' would really do under this scheme would be to accept
>a >capability< for a directory, plus a file name, and return a capability
>for the file in question.  A capability differs from an inode because it
>contains coded information that validates the user's access rights.
>A program (or shared library) would be handed two capabilities to start with:
>one for the root, one for the current directory, and would be able to do
>filename parsing given those operations.
>
>A reasonable way to implement capabilities would be to use the inode plus
>some random bits.  For each capability, the kernel must retain a copy of it,
>and whenever a capability is passed in, the kernel checks whether it is
>valid.  This makes Unix permissions syntax easy to arrange by having different
>capability-bit combinations for the various permission rights.  Naturally,
>the relation between the permissions themselves and the bits should be
>protected by a cryptographically strong transformation....

There is no reason to get crypto with this problem, unless you plan on
passing "capabilities" around like candy.  Remember that a file descriptor
is also a "capability" and it doesn't have to be encrypted to be kept
from evil doers.

In the scenario you suggest, the kernel is still performing the directory
lookup, so it can maintain a table of "currently available capabilities".
Kinda like the open file table, only different.  A user requests a file
name translation and receives back an index into their capability table.
They can then hand that "capability" back and request a file descriptor
or whatever.  The in-core inode pointed to by the capability table would
contain all of the permission bits, just as inodes do today.

Two problems arise.  First, we are back to having the kernel perform the
filename to inode translation, so there are going to be "arbitrary"
decisions which someone is going to complain about.  Second, the number
of currently active capabilities would have to be limited on a per-process
basis simply to avoid having someone request a capability for every file
on the system.  The "find" command sounds like a candidate.

Finally, the worst of all this mess is that each component in a filename
must be translated separately, or else an array of pointers to pathname
pieces is going to have to be passed in.
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh at rpp386.cactus.org

More information about the Comp.unix.wizards mailing list