Nico Williams nicowilliams

title	author	date
On the design and implementation of Two Sigma's generic authorization system	Nicolas Williams	October 22, 2025

Abstract

TS Entitlements is a dial-tone and very fast application-level authorization system designed and implemented at Two Sigma Investments, LP which is inspired by labeled security systems, mainly SMACK (the Simplified Mandatory Access Control Kernel), traditional filesystem ACL systems such as NTFS ACLs, role-based access control systems (RBAC), and attribute-based access control systems (ABAC). It could be said that TS Entitlements evolves and "unifies" all of these.

PostgreSQL is Enough

Background and Cron Jobs

Long and Short CLI Options `getopt_long()`-like for Bash

Ever wanted to write bash scripts that can take long option names, but then struggled to have anything like a normal Unix program's handling of long and short options?

Yeah, me too. Finally I wrote a getopts_long() for Bash:

# getopts_long long_opts_assoc_array_name optstring optname args...

Guide to Git Noobies and would-be Power-Users

This is an attempt at a concise guide to git that can help noobies and power users think their way around git. We assume the user knows a little bit about Unix filesystems or, alternatively, programming.

We explain the most essential git concept and then explain a second tier of concepts in terms of that one essential concept, then a third tier of concepts that power users must know (e.g., rebasing). This approach should give the reader all the mental tools needed to make the most of git.

What this is NOT:

this is NOT a git cheat-sheet (though there will be examples);
this is NOT a guide for people who are new to computers in general.

Warning: work in progress. Incomplete

People who have been in security a long time (or even not that long) know that some inputs should be treated as tainted. For example, environment variables from a user should not be used in a set-uid program, inputs from a different user should be validated, etc... Traditionally we say that the environment of a set-uid program is tainted and should not be used (or used with much care).

Therefore we want all set-uid/set-gid programs to treat their environment and user inputs as tainted.

I recently happened upon a very interesting implementation of popen() (different API, same idea) called popen-noshell using clone(2), and so I opened an issue requesting use of vfork(2) or posix_spawn() for portability. It turns out that on Linux there's an important advantage to using clone(2). I think I should capture the things I wrote there in a better place. A gist, a blog, whatever.

This is not a paper. I assume reader familiarity with fork() in particular and Unix in general, though, of course, I link to relevant wiki pages, so if the unfamiliar reader is willing to go down the rabbit hole, they should be able to come ou

	# Viktor Dukhovni's (@vdukhovni) slow rebase, made faster by bisecting, sort of
	#
	# fastrebase BRANCH_TO_REBASE ONTO
	function fastrebase {
	typeset b N

	if (($# > 0)) && [[ $1 = -h \|\| $1 = --help ]]; then
	printf 'Usage: fastrebase BRANCH_TO_REBASE ONTO_HEAD\n'
	printf ' fastrebase # to continue after resolving conflicts\n'
	printf '\n\tfastrebase is a shell function that uses the following\n'

	It took me a while to figure out a generic solution to this problem of
	deepening XML document structure using XSLT. I could not find general
	solutions online (or in the two books on XSLT that I bought), and though
	I never worked out an XSLT 1.0 solution that worked well enough, I did
	find a solution that works perfectly with XSLT 2.0.

	The idiom consists of a template matching <hN>s that applies templates
	to all following-sibling nodes that are not <hN> nodes and whose
	preceding <hN> sibling is the current <hN> (the content of this
	section) and then applies templates to all following-sibling nodes that

	GitHub already stores wikis for repos as... git repos. It'd be nice if they could be in the _same_ git repo, with a naming convention for the wikis' branches (just as with `gh-pages`).

	And if GitHub were to git-back issues, as I mentioned in my previous gist, then all three things could be in the same repo, which would be very convenient.