Guidelines for writing trusted software

Assigning privileges and special permissions

Privileges are assigned to executable files (commands) based on the needs of the command and the knowledge that the command will not misuse the privileges. These two factors are equally important: Even though a programmer knows that a command will not abuse a particular privilege, the command must need that privilege or it does not get it. Furthermore, even though a command needs a privilege, it must be shown to use the privilege properly or it does not get it.

After determining what privileges a command can have, the next step is to determine whether the command needs privileges that are propagated through tfadmin, or fixed privileges.

Using fixed privilege calls for extremely careful programming. A command with fixed privilege must never use untrusted data for security-relevant decision making. This means that a shell script can never have fixed privilege, since the environment a shell script inherits is untrusted and influences the shell's behavior (a command that uses the system or popen library routines can never have fixed privilege for the same reason). Other possible disqualifications are the following:

Privileges acquired through tfadmin are more carefully controlled, so they do not require the extensive limitations placed on fixed privilege. Any privileged command, however, must uphold system policies when it uses privilege and must obey both the spirit and the letter of the rules of trust described in these guidelines.

Special access rights should be used in favor of privileges wherever possible. A program that needs discretionary access to a well-defined set of files should be setgid to the group to which those files belong. The files should be as accessible as necessary to their group. If, for example, a command needs to read a file foo and read and write a file bar and the group of the files foo and bar is sys, the command should be setgid to sys. The file foo should be readable by group while the file bar should be both readable and writable by group. The P_DACREAD and P_DACWRITE privileges should not be used for this purpose, since they give too much access to the command.

Next topic: Summary
Previous topic: Assigning access controls

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 27 April 2004