Guidelines for writing trusted software

Trusted facility management

Historically, the only way a process could acquire privilege was if the value of the effective user-ID was ``0'', which is traditionally associated with the root login. This acquisition could be accomplished in one of two ways:

With this release, another method of acquiring privilege has been defined. This method is the Trusted Facility Management (TFM) mechanism. TFM provides an interface between users (not privileged) and commands (possibly privileged or requiring privilege). The primary elements of TFM are the tfadmin(1M) command, and the TFM database.

The tfadmin command is invoked with the desired command line as its arguments as in the following example:

tfadmin mount /dev/mydsk /my_mnt_point

The fixed privilege set of the tfadmin command file contains all privileges, so the exec system call turns on all privileges in the resulting process.

But the tfadmin command cannot be executed successfully by every user. To open it to such free access would be a violation of trust. When tfadmin is invoked, the first thing it does is to find out the real identity (real UID) of the invoking user. It then uses that identity to find the user's entry in the TFM Database.

A TFM database contains two pieces of information:

A trusted system may define administrative roles for selected system administrators. Each role may be filled by a different administrator in order that all sensitive administrative functions not be handled by a single person. This division of administrative duties into separate roles reduces the chances for misuse of administrative power. All trusted administrators will be associated with at least one role and/or set of privileged commands; a very few administrators may be
associated with more than one role, especially at small sites. But most users are not associated with any role.

When tfadmin finds the user's entry, it looks for the requested command in the list of specific commands, and if it does not find it, in the list of roles. Once the command is found and the user's entry verifies that the user is assigned to a role that has the authorization to use that command, tfadmin leaves on the correct privileges (found in the database entry for the command) in its maximum set, but turns off all others, and executes the command. These privileges are propagated across the chain of execution of any child processes.

By providing a single point of privileged access to administrative commands and by basing that access on the real identity of the requesting user, tfadmin eliminates the need for privileged ID's and enhances administrative accountability.

Next topic: Discretionary Access Control
Previous topic: Privilege

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 27 April 2004