[Info-vax] VMS Privileges Versus Linux Capabilities
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Jun 16 16:53:17 EDT 2016
On 2016-06-15, lawrencedo99 at gmail.com <lawrencedo99 at gmail.com> wrote:
> Do these <http://man7.org/linux/man-pages/man7/capabilities.7.html> look familiar? Certainly the basic concept is similar, even if the details vary.
>
> Just like VMS privileges, a lot of the divisions seem more designed
> to guard against accidents rather than prevent outright malice.
In VMS land, the privileges are (mostly) designed to prevent abuse of
the system and AFAICS the Linux capabilities could likewise be abused.
The difference between the models is that in VMS there's no such thing
as a fully privileged image or fully privileged user at least in the
sense that is meant under Unix so you don't have to worry about emulating
a root account or suid binaries under VMS.
You can get the same effect by turning on all the privileges but there's
no single bit that turns them on all at once.
BTW, and IMHO, the use of the word capability causes confusion with real
capability-based security which is where I first encountered the term.
Some background reading for those unfamiliar with capability-based
security:
https://en.wikipedia.org/wiki/Capability-based_security
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list