Suppose a set of files have the following owners, groups, and others mode bits as described
Name Owner Group Mode Bits
foo alice faculty rwxr--r--
bar bob students rw-rw-r--
baz charlie faculty rwxrwxrwx
Then, processes running as alice with the group faculty can read, write, or execute foo and
baz, but only read bar.Forbar, Alice does not match the UID (bob), nor have the associated group
(students). The process has the appropriate owner to gain all privileges for foo and the appropriate
group to gain privileges to baz.
As described above, the UNIX protection system is a discretionary access control system.
Specifically, this means that a file’s mode bits, owner UID, or group GID may be changed by any
UNIX processes run by the files owner (i.e., that have the same UID as the file owner). If we trust
all user processes to act in the best interests of the user, then the user’s security goals can be enforced.
However, this is no longer a reasonable assumption. Nowadays, users run a variety of processes, some
of which may be supplied by attackers and others may be vulnerable to compromise from attackers,
so the user will have no guarantee that these processes will behave consistently with the user’s security
goals. As a result, a secure operating system cannot use discretionary access control to enforce user
security goals.
Since discretionary access control permits users to change their files owner UID and group
GID in addition to the mode bits, file labeling is also discretionary. A secure protection system
requires a mandatory labeling state, so this is another reason that UNIX systems cannot satisfy the
requirements of a secure operating sy stem.
UNIX processes are labeled by trusted services from a set of labels (i.e., user UIDs and group
GIDs) defined by trusted administrators, and child processes inherit their process identity from
their parent. This mandatory approach to labeling processes with identities would satisfy the secure
protection system requirements, although it is rather inflexible.
Finally, UNIX mode bits also include a specification for protection domain transitions, called
the setuid bit. When this bit is set on a file, any process that executes the file with automatically
perform a protection domain transition to the file’s owner UID and group GID. For example, if a
root process sets the setuid bit on a file that it owns, then any process that executes that file will
run under the root UID. Since the setuid bit is a mode bit, it can be set by the files owner, so it
is also managed in a discretionary manner. A secure protection state requires a mandatory transition
state describe all protection domain transitions, so the use of discretionary setuid bits is insufficient.
The UNIX authorization mechanism controls each process’s access to files and implements protection
domain transitions that enable a process to change its identity. The authorization mechanism runs

Get Operating System Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.