Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!gatech!rutgers!rochester!kodak!gizzmo!lazlo!mobile!dave From: dave@mobile.UUCP (David C. Rein) Newsgroups: comp.unix.wizards Subject: Re: What kinds of things would you want in the GNU OS? Summary: Addressing the 'open' issue Keywords: GNU OS features kernel fun! Message-ID: <167@mobile.UUCP> Date: 27 May 89 15:59:58 GMT References: <106326@sun.Eng.Sun.COM> <1049@snjsn1.SJ.ATE.SLB.COM> Lines: 39 In article <1049@snjsn1.SJ.ATE.SLB.COM>, johnb@aconcagua (John R. Bashinski) writes: > In article <106326@sun.Eng.Sun.COM> bitbug (James Buster) writes: > >What kinds of features or design rationale should it use? > [..stuff deleted..] > Glimmerings of a structure: Privileges belong to threads of control; each > thread has a privilege list. A privilege is represented by a unique > identifer, which subsumes the functions of both UNIX UIDs and GIDs. [..stuff deleted..] > attributes can be modified by the thread, others can't. A reference > monitor gets called by whatever implements a file/object to examine > opens, closes, reads, writes, and control operations. The reference monitor > is allowed to issue a capability identifier of some kind at object open, > and can restrict how that capability can be delegated. Whenever an operation > is attempted on the opened object, the object implementation passes the same > capability to the reference monitor as part of the information about the > operation. It may choose to revoke a capability at any time. > > Issues: When you open a "file", does the object at the other end get your > privileges by default? Can you change the default? What code is allowed > to issue privileges? > [..more stuff deleted] A possible solution to this problem could be similar to that of Intel's idea of 'conforming and non-conforming' segments. When the 'object at the other end initializes itself, it can also declare weather its a conforming or non-conforming object. So, when you open a "file", depending on the initialization of the object at the other end would decide the privileges. Perhaps the reference monitor can even let some users' process force non-conforming (so run at the high privileges) determined by the users' profile. Since an object could be analagous to a device driver, it is a 'situation dependent' decision , and should be handled by the kernel in a general fashion. (I just started reading this newsgroup, so if this idea is old, or has been thrown around before, then sorry for the clutter...) --- Dave Rein UUCP: ..!kodak!gizzmo!lazlo!mobile!dave dcr0801@ritcv