alt Hacker NewsThe difference between ambient authority systems, like Windows and Linux, and capability systems is the difference between a program that only uses global variables and a program that uses local variables and function parameters.
In a capability system, you pass resource capabilitys to subsystems. You can not use resource handles that were not passed to you just like a function can not access variables that were not passed to it (except for explicit global variables.
In ambient authority systems, as a common example, you can just blindly convert what are effectively strings into resource handles (the metaphorical equivalent of casting integers to raw pointers). Your access is mediated by a orthogonal system that tells you which resource handles/pointers you are allowed to use. That is like having a program that runtime checks every pointer access is allowed instead of just preventing you from manufacturing pointers.
You coordinate across subsystems by naming certain resources in the global ambient space in a coordinated fashion (effectively a global variable which is basically just a named memory location in the common memory space). That way the subsystem knows the global you put their parameters/resources in.
While you can still program like that, everybody now knows it is a terrible way to live. Parameter passing and local variables with explicit global variables is almost always the way to go. That same lesson should be learned for operating systems.
I too would like an OS where called programs don't need to call open() on strings. The shell already has <input >output redirection, but hamstrung so few ever use them. So many programs recreate the functionality with -i -o in some manner to make up for the flaws (read multiple inputs, avoid creating a file on error). Graphical programs could request a fd from a trusted file picker instead of requesting a string to call open() immediately after. That just scratches the surface, so much security and convenience to gain.