Dismiss
InnovationQ will be updated on Tuesday, September 18, from 8-9pm ET. You may experience brief service interruptions during this time. See here for details on our Australian patent collection updates.
Browse Prior Art Database

Privilege Control Mechanism for UNIX Systems

IP.com Disclosure Number: IPCOM000122704D
Original Publication Date: 1991-Dec-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 3 page(s) / 163K

Publishing Venue

IBM

Related People

Langford, JS: AUTHOR [+2]

Abstract

Disclosed is a design for a privilege control mechanism which allows for implementation of the least privilege principle in UNIX*. This principle is a well-respected principle of designing systems which allows system designers to provide 'firewalls' for greater security. As a point of nomenclature, privilege is defined as the ability to affect the integrity of the normal operation of the system. Privilege is normally associated with the authorization to make changes to the static or dynamic data structure used to administer the system.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 38% of the total text.

Privilege Control Mechanism for UNIX Systems

      Disclosed is a design for a privilege control mechanism
which allows for implementation of the least privilege principle in
UNIX*. This principle is a well-respected principle of designing
systems which allows system designers to provide 'firewalls' for
greater security. As a point of nomenclature, privilege is defined as
the ability to affect the integrity of the normal operation of the
system. Privilege is normally associated with the authorization to
make changes to the static or dynamic data structure used to
administer the system.

      In normal UNIX systems, the privilege mechanism consists of two
components: (1) all privilege is associated with user ID 0; (2) by
means of the setuid mechanism, privilege can be associated with a
program to define a protected subsystem (a program with greater
privilege than its invoker).

      The setuid mechanism in UNIX works as follows. Each process has
three associated user IDs:
         - real user ID: this ID is assigned upon user authentication
(normally at user login) and cannot be changed unless the user is
reauthenticated.
         - saved user ID: this ID will be equal either to the
process's real user ID or to the user ID of the last setuid program
which was executed by the process.
         - effective user ID: this ID will be equal to either the
real or the saved user ID. It is the effective user ID which is used
in all privilege decisions.
When the user logs into the system, the real, effective and saved
user IDs of the initial process are set to the user's numerical ID on
the system. This ID is usually unique on the system. When new
processes are created, the new process simply inherits the value of
the old process's user IDs. The only time the process's user IDs
change is when the process executes a program whose file is tagged in
the file mode as being setuid.
When a process executes a setuid program file, the process's
effective and saved user IDs are set to the ID of the owner of the
file. The process may thereafter 'toggle' its effective ID between
its real and saved IDs. At the next execution of a program, a process
may 'bequeath' its acquired rights to the executed program, provided
that this program is not setuid as well, by setting its effective
user ID to the value of the saved user ID. (Note that a similar
mechanism applies to the process group IDs as well, but since it is
not used for privilege, it will not be discussed further.)

      A privileged process, then, is one which either is invoked by a
user with an ID of 0 or is owned by such a user and is
installed with the setuid attribute.

      There are a number of shortcomings with this mechanism for
privilege. First, privilege is necessarily monolithic. Because each
and every privileged action in the system is associated with a single
user ID, a process is either fully privileged or fully unprivileged.
This implies that the s...