Several years ago (Oct. 1988, Operating Systems Review, vol. 22) I published “The Confused Deputy” describing a security problem from the late 60’s that I claimed had not yet been solved. My description of the problem was ambiguous and some readers have thus misunderstood the original problem. My fault. The misconstrued problem illustrates the original dilemma as well however.

In his annotations to this copy of the original paper Hal Finney very reasonably presumes that the compiler is intended to write on the file (SYSX)BILL and suggests that the access list for (SYSX)BILL include the compiler’s “owner” and that the compiler use the Unix setuid function when it needs to write on (SYSX)BILL.

It seems to me that setuid solves the original narrow problem even without access lists, for it is not against compiler malfeasance that we must guard, but inability of the trusted compiler to express its intent. With setuid, the compiler may indicate just when it intends to act on its own authority and when on the user’s authority.

setuid, however, must name a category of authority from a small ad hoc list of possibilities. The proliferation of alternate user ID’s associated with a Unix process suggests a piecemeal attack on a problem that capabilities solve in one fell swoop. Here we explore the confused deputy’s problem in the context of Solaris. (Try “man acl” at a command prompt in Solaris. AIX has similar features by other names.)

In fact the compiler was not programmed to write on (SYSX)BILL but only to write some files in the SYSX directory to inform the compiler author. It was in the same directory as (SYSX)BILL merely because disk space was dear and there was overhead to a directory. Tymshare went commercial with a 16MB disk!

See this about a similar incident.