4.2. UNIX SECURITY 43
Suppose a set of ﬁles have the following owners, groups, and others mode bits as described
Name Owner Group Mode Bits
foo alice faculty rwxr--r--
bar bob students rw-rw-r--
baz charlie faculty rwxrwxrwx
Then, processes running as alice with the group faculty can read, write, or execute foo and
baz, but only read bar.Forbar, Alice does not match the UID (bob), nor have the associated group
(students). The process has the appropriate owner to gain all privileges for foo and the appropriate
group to gain privileges to baz.
As described above, the UNIX protection system is a discretionary access control system.
Speciﬁcally, this means that a ﬁle’s mode bits, owner UID, or group GID may be changed by any
UNIX processes run by the ﬁle’s owner (i.e., that have the same UID as the ﬁle owner). If we trust
all user processes to act in the best interests of the user, then the user’s security goals can be enforced.
However, this is no longer a reasonable assumption. Nowadays, users run a variety of processes, some
of which may be supplied by attackers and others may be vulnerable to compromise from attackers,
so the user will have no guarantee that these processes will behave consistently with the user’s security
goals. As a result, a secure operating system cannot use discretionary access control to enforce user
Since discretionary access control permits users to change their ﬁles owner UID and group
GID in addition to the mode bits, ﬁle labeling is also discretionary. A secure protection system
requires a mandatory labeling state, so this is another reason that UNIX systems cannot satisfy the
requirements of a secure operating sy stem.
UNIX processes are labeled by trusted services from a set of labels (i.e., user UIDs and group
GIDs) deﬁned by trusted administrators, and child processes inherit their process identity from
their parent. This mandatory approach to labeling processes with identities would satisfy the secure
protection system requirements, although it is rather inﬂexible.
Finally, UNIX mode bits also include a speciﬁcation for protection domain transitions, called
the setuid bit. When this bit is set on a ﬁle, any process that executes the ﬁle with automatically
perform a protection domain transition to the ﬁle’s owner UID and group GID. For example, if a
root process sets the setuid bit on a ﬁle that it owns, then any process that executes that ﬁle will
run under the root UID. Since the setuid bit is a mode bit, it can be set by the ﬁle’s owner, so it
is also managed in a discretionary manner. A secure protection state requires a mandatory transition
state describe all protection domain transitions, so the use of discretionary setuid bits is insufﬁcient.
4.2.2 UNIX AUTHORIZATION
The UNIX authorization mechanism controls each process’s access to ﬁles and implements protection
domain transitions that enable a process to change its identity. The authorization mechanism runs