Access control lists are more flexible than User,Group,World type permissions, but are nowhere as powerful or composable as capabilities.
[Edit] - Example: On a linux machine, how could you give access to only one file in the whole system? Answer: By setting the permissions on every single file other than the one in question to deny access. Set the permission to allow access on the one file you care to share.
With Capabilities, the token IS the permission... and it doesn't really take much to implement it, once you completely grok the idea.
[Edit] - Example: On a linux machine, how could you give access to only one file in the whole system? Answer: By setting the permissions on every single file other than the one in question to deny access. Set the permission to allow access on the one file you care to share.
With Capabilities, the token IS the permission... and it doesn't really take much to implement it, once you completely grok the idea.