Several years ago (Oct. 1988, Operating Systems Review, vol. 22) I published “The Confused Deputy” describing a security problem from the late 60’s that I claimed had not yet been solved. My description of the problem was ambiguous and some readers have thus misunderstood the original problem. My fault. The misconstrued problem illustrates the original dilemma nearly as well however.

In his annotations to this copy of the original paper Hal Finney very reasonably presumes that the compiler is intended to write on the file (SYSX)BILL and suggests that the access list for (SYSX)BILL include the compiler’s “owner” and that the compiler use the Unix setuid function when it needs to write on (SYSX)BILL.

It seems to me that setuid solves the original narrow problem even without access lists, for it is not against compiler malfeasance that we must guard, but inability of the trusted compiler to express its intent. With setuid, the compiler may indicate just when it intends to act on its own authority and when it acts by the user’s authority.

setuid, however, must name a category of authority from a small ad hoc list of possibilities. The proliferation of alternate user ID’s associated with a Unix process suggests a piecemeal attack on a problem that capabilities solve in one fell swoop. Here we explore the confused deputy’s problem in the context of Solaris. (Try “man acl” at a command prompt in Solaris. AIX has similar features by other names.)

See this about a similar incident.