A Privilege Mechanism for UNIX System V Release 4 Operating Systems

Any multi-user, multi-tasking operating system, such as the UNIX SVR4 Operating System, must provide protection mechanisms that prohibit one user from interfering with another user, or limit the execution of certain system operations that affect critical system resources. These protection mechanisms must also provide the ability to override these restrictions, commonly referred to as privilege. For over twenty years, UNIX-based operating systems have had one such privilege, called "root" or "super-user" which is signified by a process whose effective user ID is 0. The "super-user" has the ability to override the restrictions imposed by these protection mechanisms. In the UNIX System V Release 4 Enhanced Security product this single, omnipotent, privilege is divided into a set of discrete privileges designed to assure that sensitive system services execute with the minimum amount of privilege required to perform the desired task.

This paper describes the privilege control mechanism implemented as part of the UNIX System V Release 4.1 Enhanced Security (SVR4.lES) product. The SVR4.1ES privilege control mechanism separates the privilege mechanism from the access control mechanism, it provides for fine grained control over sensitive operation access by users, and it controls the propagation of privilege from one process to another. Our goals also include accommodating multiple privilege control mechanisms within the UNIX System V kernel. These privilege mechanisms can be "plugged" into the kernel through well defined interfaces, much the same way as UNIX file systems are currently added to the kernel