148:) than they need for their task, but that they are unable to determine the source or the number and types of permission that they have. A program executing under an ambient authority access control model has little option but to designate permissions and try to exercise them, hoping for the best. This property requires an excess of permissions to be granted to users or roles, in order for programs to execute without error.
110:. So, if the program should be able to access an object when acting on its own behalf but not when acting on behalf of one of its clients (or, on behalf of one client but not another), it has no way to express that intention. This inevitably leads to such programs being subject to the
133:. However, since there are additional requirements for a system to be considered a capability system besides avoiding ambient authority, "non-ambient authority system" is not just a synonym for "capability system".
56:
The authority is "ambient" in the sense that it exists in a broadly visible environment (often, but not necessarily a global environment) where any subject can request it by name.
70:
The desired file is designated by its name on the filesystem, which does not by itself include authorising information, so the program is exercising ambient authority.
311:
38:
if it only needs to specify the names of the involved object(s) and the operation to be performed on them in order for a permitted action to succeed.
78:
When ambient authority is requested, permissions are granted or denied based on one or more global properties of the executing program, such as its
140:
model of access control as used in Unix and in
Windows systems is an ambient authority model because programs execute with the authorities of the
45:
a "name" is any way of referring to an object that does not itself include authorising information, and could potentially be used by any subject;
205:
273:
Stories of the
Development of Large Scale Scientific Computing at Lawrence Livermore National Laboratory; An Oral and Pictorial History
304:
267:
263:
297:
455:
103:
503:
335:
145:
144:
that started them. This not only means that executing programs are inevitably given more permissions (see
371:
408:
356:
166:
445:
395:
366:
213:
118:
99:
190:
493:
435:
583:
361:
341:
320:
130:
122:
111:
125:), in which executing programs receive permissions as they might receive data, as communicated
129:
references. This allows them to determine where the permissions came from, and thus avoid the
177:
480:
8:
376:
95:
91:
136:
Ambient authority is the dominant form of access control in computer systems today. The
562:
426:
126:
237:"Re: [e-lang] "Capability Myths Demolished" => ambient authority revisited"
107:
64:
For example, suppose a C program opens a file for read access by executing the call:
391:
52:
request that that subject could make that would cause the action to be carried out.
403:
351:
557:
464:
87:
23:
90:
is handled separately from explicit communication to the executing program or
577:
552:
289:
547:
542:
488:
513:
236:
521:
470:
206:"[cap-talk] ... enforcement - ambient authority - definition?"
460:
271:
440:
381:
117:
The term "ambient authority" is used primarily to contrast with
430:
422:
418:
413:
106:
the permissions that it was granted for a specific purpose as
498:
450:
537:
34:
A subject, such as a computer program, is said to be using
165:
Miller, Mark S.; Yee, Ka-Ping; Shapiro, Jonathan (2003).
48:
an action is "permitted" for a subject if there exists
102:mechanisms. The executing program has no means to
575:
164:
16:Term used in the study of access control systems
319:
305:
261:
312:
298:
203:
234:
576:
293:
255:
98:associated with objects or through
86:. In such cases, the management of
13:
14:
595:
235:Tribble, Dean (5 December 2002).
204:Donnelley, Jed (6 October 2004).
22:is a term used in the study of
264:"Capability Computing at LLNL"
228:
212:(Mailing list). Archived from
197:
158:
67:open("filename", O_RDONLY, 0)
1:
262:Jed Donnelley (May 4, 2005).
167:"Capability Myths Demolished"
151:
29:
336:Principle of least privilege
146:Principle of least privilege
7:
372:Capability-based addressing
10:
600:
59:
530:
512:
479:
390:
367:Capability-based security
328:
119:capability-based security
100:Role-Based Access Control
123:object-capability models
94:, through means such as
362:Object-capability model
342:Confused deputy problem
131:Confused deputy problem
112:confused deputy problem
73:
185:Cite journal requires
481:Programming languages
531:Specialised hardware
96:access control lists
41:In this definition,
563:Plessey System 250
127:first-class object
108:first-class values
571:
570:
392:Operating systems
347:Ambient authority
321:Object-capability
268:George A. Michael
36:ambient authority
20:Ambient authority
591:
377:Zooko's triangle
314:
307:
300:
291:
290:
284:
283:
281:
280:
259:
253:
252:
250:
248:
232:
226:
225:
223:
221:
201:
195:
194:
188:
183:
181:
173:
171:
162:
599:
598:
594:
593:
592:
590:
589:
588:
574:
573:
572:
567:
526:
508:
475:
386:
352:File descriptor
324:
318:
288:
287:
278:
276:
260:
256:
246:
244:
233:
229:
219:
217:
202:
198:
186:
184:
175:
174:
169:
163:
159:
154:
76:
68:
62:
32:
17:
12:
11:
5:
597:
587:
586:
584:Access control
569:
568:
566:
565:
560:
558:Intel iAPX 432
555:
550:
545:
540:
534:
532:
528:
527:
525:
524:
518:
516:
510:
509:
507:
506:
501:
496:
491:
485:
483:
477:
476:
474:
473:
468:
465:HarmonyOS NEXT
458:
453:
448:
443:
438:
433:
416:
411:
406:
400:
398:
388:
387:
385:
384:
379:
374:
369:
364:
359:
354:
349:
344:
339:
332:
330:
326:
325:
317:
316:
309:
302:
294:
286:
285:
254:
243:(Mailing list)
227:
196:
187:|journal=
156:
155:
153:
150:
88:access control
75:
72:
66:
61:
58:
54:
53:
46:
31:
28:
24:access control
15:
9:
6:
4:
3:
2:
596:
585:
582:
581:
579:
564:
561:
559:
556:
554:
553:IBM System/38
551:
549:
546:
544:
543:Cambridge CAP
541:
539:
536:
535:
533:
529:
523:
520:
519:
517:
515:
511:
505:
502:
500:
497:
495:
492:
490:
487:
486:
484:
482:
478:
472:
469:
466:
462:
459:
457:
454:
452:
449:
447:
444:
442:
439:
437:
434:
432:
428:
424:
420:
417:
415:
412:
410:
407:
405:
402:
401:
399:
397:
393:
389:
383:
380:
378:
375:
373:
370:
368:
365:
363:
360:
358:
355:
353:
350:
348:
345:
343:
340:
337:
334:
333:
331:
327:
322:
315:
310:
308:
303:
301:
296:
295:
292:
275:
274:
269:
265:
258:
242:
238:
231:
216:on 2013-04-14
215:
211:
207:
200:
192:
179:
168:
161:
157:
149:
147:
143:
139:
134:
132:
128:
124:
120:
115:
113:
109:
105:
101:
97:
93:
89:
85:
81:
71:
65:
57:
51:
47:
44:
43:
42:
39:
37:
27:
25:
21:
514:File systems
346:
277:. Retrieved
272:
257:
245:. Retrieved
240:
230:
218:. Retrieved
214:the original
209:
199:
178:cite journal
160:
141:
137:
135:
116:
83:
79:
77:
69:
63:
55:
49:
40:
35:
33:
19:
18:
121:(including
522:Tahoe-LAFS
471:Phantom OS
279:2022-12-06
152:References
30:Definition
461:HarmonyOS
26:systems.
578:Category
441:iMAX 432
404:Capsicum
382:Petnames
329:Concepts
323:security
247:June 28,
220:June 28,
210:cap-talk
80:identity
409:Fuchsia
396:kernels
270:(ed.).
92:process
82:or its
60:Example
489:Cajita
446:Midori
431:CapROS
423:KeyKOS
419:GNOSIS
414:Genode
357:C-list
338:(PoLP)
241:e-lang
504:Joule
499:Joe-E
451:NLTSS
436:Hydra
266:. In
170:(PDF)
104:reify
548:Flex
538:BiiN
456:seL4
427:EROS
249:2012
222:2012
191:help
142:user
138:user
84:role
74:Uses
50:any
580::
429:→
425:→
421:→
394:,
239:.
208:.
182::
180:}}
176:{{
114:.
494:E
467:)
463:(
313:e
306:t
299:v
282:.
251:.
224:.
193:)
189:(
172:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.