GNU Hurd/ capability

Welcome to... ... the GNU Hurd!

A capability is a protected reference. It is a reference in that it designates an object; it is protected in that in cannot be forged. A capability both designates the object it refers to and carries the authority to manipulate it.

By binding designation and ?authorization together, capabilities simplify ?delegation. Imagine that program instance A wants to tell program B to use a particular file to store some data. Further imagine that A and B are running in different ?trust domains (e.g., with different UIDs). If A sends B just the name of the file, B needs to first ensure that he does not accidentally enable A to access the file on his own authority. That is, B wants to protect against A hijacking his authority. (This problem is refused to the confused deputy problem.) Also, since A likely sent a string to identify the file to B, the identifier lacks a naming context and therefore may resolve to a different object than A intended. By ensuring that designation and ?authorization are always bound together, these problems are avoided.

Capability-based system architectures strive to meet the principle of least privilege (Wikipedia, principle of least privilege).

A capability mechanism is typically implemented in software by the operating system kernel (typically a microkernel). The computing cost (as compared to a hardware implementation) is neglectable.

UNIX

UNIX file descriptors can be viewed as capabilities. They do not survive reboot, that is, they are not persistent. To work around this, ?ACLs are used to recover authority.

GNU/Hurd

In the GNU/Hurd system, a capability is represented by a Mach port. As in UNIX (see above), they are not persistent.

IRC, freenode, #hurd, 2013-07-01

<nlightnfotis> I have read plenty of documents, and wrapped my head around
  most Hurd concepts, but I still have not understood well what
  capabilities are.
<youpi> Mmm, which capabilities?
<youpi> AIUI, the Hurd doesn't really have a notion of capabilites, just a
  notion of owning a port right
<nlightnfotis> From what I have understood (from the critique) they
  reference ports so they objects can be referenced via them
<youpi> (which provides processes a way for doing things)
<youpi> ok, so we are talking about the same thing, I guess
<nlightnfotis> ahh, that's cool. I thought there was more to the story that
  I couldn't understand

Further Reading

shapiro capintro 1999: What is a Capability, Anyway?, Jonathan Shapiro, 1999. This is an easily readable introduction with good examples. In the author's own words, the text provides a layman's introduction to capabilities, describing what they are, what they do, and why they result in better security than today's computer systems.