@david_chisnall glob expansion in a library doesn't work with a permission based file system, and definitely not with capabilities. Some of the ukernel research folk tried it long ago and it screws your security model. They moved all sorts of stuff out of Unix kernel models like tty behaviour but glob has to be shell or kernel to happen in the right context as the executed task may not have the rights to do the glob, and in a secure environment often has no business doing file enumeration.

@etchedpixels See the rest of this thread. If you want to do it properly in a capability shell, you need to do the glob expansion and the opening in the shell, so the things you pass in are capabilities to the paths, not just names.

Doing glob expansion in the shell but still passing file arguments as strings solves none of these problems. If you are dropping privileges when running the command then it can make things worse because now the thing doing the glob expansion has different permissions to the thing opening the file and so the open can fail later in difficult-to-debug ways.