Insight gained from reading a paper titled "ACLs don't" that is really obvious in retrospect:
the confused deputy problem happens exactly because authority-based systems care about the authority of whoever directly performs an operation, and that intuition/model breaks when there's a *delegation*, i.e. with deputies.
It would be possible to deal with simple delegation, but it won't work when there are multiple levels of it or when there are complex delegation graphs.
Also, this is how socket activation works. systemd (or launchd, or inetd, or what have you) listens on a port or a Unix socket — because, being root, it has rights to. Then it passes a capability — either the bound socket fd, or an individual connection fd — when starting your service. Your service then doesn't have to be privileged, because it doesn't need to be able to open/bind the port/socket.
@xj9 yes; launchd even does this for Mach services. But that's not any news, what is news to me is the realization that this is basically capability passing!
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!