Guidelines for writing trusted software


Privilege means ``the ability to override system restrictions.'' This ability is vested in three ways:

There is a problem with the first approach to overriding system restrictions. A user (or command) allowed a reasonably mundane privileged action (for example, reading a protected file without explicit permission) also has permission to perform every other privileged action on the system, including the permission to overwrite all files on the system, add users, kill processes, start and stop network services, mount and unmount file systems, and many other sensitive operations. There is no restriction because there is no way to give a ``little bit of root'' to a user or command. Any process with an effective user-ID of ``0'' (root) is considered omnipotent.

The second and third approaches provide methods of giving a ``little bit of root'' to a user or command, and thus address the problem with the first approach. These approaches can be thought of as ``Administrative Least Privilege'' since they introduce the idea of discrete privileges that are associated with command files and processes.

The second and third approaches dissolve the bond between user identity and privilege, making privilege a process and command attribute instead of a user attribute. This approach makes sense because command behavior is much easier to describe and regulate than user behavior.

Process privileges are contained in two sets, ``working'' and ``maximum.'' The working set contains the privileges in effect at any particular instant. This set controls the restrictions that the process can override at the moment. The procpriv(S) system call allows a command to set or clear privileges in the working set.

The maximum set represents the upper limit of privileges that a process can have in its working set. These privileges have no effect unless they are also in the working set, but they are held in reserve for the command to assert at any time. Using the procpriv system call, a command can clear a privilege in the maximum set but cannot set one.

The privilege set associated with a command's executable file determine what is put in the working and maximum privilege sets when a process executes the command. The file privilege set is called ``fixed.'' Fixed privileges are useful for commands that do privileged things for ordinary users because they are granted unconditionally upon execution. The unconditional nature of fixed privileges, however, means that any program that uses them must strictly enforce all system policies it can override.

Next topic: Trusted facility management
Previous topic: Trust and security

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 02 June 2005