> Although the real problem today is that we need to run programs with less authority than the user running them,
All true; But. What really stopped capability systems is that most users cannot be bothered to grant minimum privilege. Even most developers cannot - we invented containers in part as a way to mitigate the consequences of failing to grant minimum privilege.
As the old saying goes, you go to war with the army you have. I have a bunch of fantastic solutions to all our problems, if only programmers would work 10 times harder for every line of code, and the project managers would be OK with that, and the business funding it would be OK with that, and society would be OK with getting 1/10th the software.
Capabilities-based stuff is really neat, but it's also really complicated to put into practice, and I live in a world where it's often a struggle to get developers to label their brand new REST interface for whether or not it's "admin only". Personally, I think a lot of that "really complicated to put into practice" is essential complexity, not incidental; anytime you sit down and really think about what the optimal permissions scheme around any even slightly non-trivial system ought to be, you generally end up with something pretty complicated. But even if the perfect system existed and you handed it to the real developers we have today, you'd still be working with people who would do whatever the simplest thing they could do to fully bypass the capabilities system is and get on with life without a moment's twinge of conscience.
I don't want to be too hard on the average programmer; contra fashionable cynicism, things are actually getting better on the decade time scale. But at the current pace, "capabilities" are probably still a decade or two away from even being "niche".
I wish I could show this to a Big Data analyst I worked with. He spent all day doing machine learning things but once complained to my team that we were making access control too complicated.
>we invented containers in part as a way to mitigate the consequences of failing to grant minimum privilege
Also because it's extremely difficult to grant minimum privilege on your typical general-purpose OS today. Spawn a new process and the default is that it has all the same authority that you do - it takes a lot of work to dial that down.
This is typically inverted in a capability system: the program only has the authority that you give it.
All true; But. What really stopped capability systems is that most users cannot be bothered to grant minimum privilege. Even most developers cannot - we invented containers in part as a way to mitigate the consequences of failing to grant minimum privilege.