Standards Update, IEEE 1003.6: Security Extensions
Jeffrey S. Haemer
jsh at usenix.org
Sat Oct 21 13:06:21 AEST 1989
From: Jeffrey S. Haemer <jsh at usenix.org>
An Update on UNIX* and C Standards Activities
September 1989
USENIX Standards Watchdog Committee
Jeffrey S. Haemer, Report Editor
IEEE 1003.6: Security Extensions Update
Ana Maria de Alvare <anamaria at lll-lcc.llnl.gov> reports on the July
10-14, 1989 meeting, in San Jose, California:
P1003.6 (security) is split into four main groups: privileges,
mandatory access control (MAC), audit, and discretionary access
control (DAC). In addition, there is a definitions group, whose
charter is to define terms and to insure that definitions used by
1003.6 do not clash with definitions in other 1003 groups.
1. DEFINITIONS
The definitions group reviewed all definitions new to draft two.
The majority were from the audit group and were approved.
Amusingly, the lone exception was the definition of "audit",
which included an interpretation of an audit record; the
definition group considered this to be outside the audit group's
goals.
The group also chose a global naming convention,
PREFIX_FUNCTIONNAME, where PREFIX represents the security
section/topic. Current prefixes are "priv_", "mac_", "aud_",
and "acl_" (DAC). The same prefix rule extends to data
structures (e.g. "priv_t").
2. MAC
Several issues were resolved.
o+ A 'write up' standard will be neither restricted nor
guaranteed.
__________
* UNIX is a registered trademark of AT&T in the U.S. and other
countries.
September 1989 Standards Update IEEE 1003.6: Security Extensions
- 2 -
o+ The 'upgrade directories' function was dropped, since a
'write up' without a read does not guarantee success.
o+ Change file label/level and change process label operations
will be accepted for privileged processes
o+ The MAC_PRESENT variable will be added to the sysconf, to
indicate that a MAC mechanism is installed in the system.
MAC_CONTROLLED and MAC_ALWAYS were also proposed.
MAC_CONTROLLED would return the value of a file controlled
by a MAC mechanism, and MAC_ALWAYS would indicate that all
objects on the system contain associated MAC information.
o+ A set of six privileges were defined: P_upgrade,
P_covertchannel, P_MAC_READ, P_MAC_WRITE, P_LABEL_OBJ,
P_LABEL_SUBJ. The last two might be folded under
READ/WRITE privileges, however these two are the most
sensitive of all.
The next meeting will see discussions of SUN's multiple-level
directories, the recalculation function, and information labels.
The group will also review the .6 draft, the MAC common
description language interface, and 1003.1/.1a.
3. PRIVILEGES
The privilege group has defined interfaces for file privileges.
For example, priv_fstate_t() will return whether privilege for
the file is required, allowed, or forbidden. A process's
privilege can be permitted, effective, or inheritable.
Also, there is now a list of needed privileges, including
PRIV_SETUID and PRIV_SETGID (set the uid and gid of a file or
process), PRIV_FOWNER (change the owner uid of a file),
PRIV_ADMIN (do administrative operations like unlinking a file),
PRIV_RESOURCE (set the sticky bit or be able to use memory),
DAC_READ/WRITE (override access search or read and access write)
The process-privilege interface is still an open issue, and will
be discussed in October. These three suggestions are on the
table:
1. A function pair. priv_set_priv(id,attr,value) and valuet
priv_get_priv(id,attr). (Something of type "valuet" can
take on the values "required", "allowed", or "forbidden".)
September 1989 Standards Update IEEE 1003.6: Security Extensions
- 3 -
2. An interface to set or unset multiple privileges at a
time.
3. A requirement that the operating system re-calculate
privileges for each process every time that process
manipulates an object.
Next meeting, the privilege group will focus on developing
functional interface descriptions in both English and in Common
Descriptive Language (CDL).
4. DAC
The DAC group decided to describe interfaces using a procedural
interface. They defined the minimum set of functions required
for access control lists (ACLs) -- open, close, write, sort,
create_entry, get_entry, dup_entry, delete_entry, set_key,
get_key, and add/delete permission -- and the minimum set of
commands -- getacl and setacl. They also defined the needed
privileges and passed their list to the privilege group. The
October meeting will focus on polishing the current draft and
addressing default ACL interfaces.
5. AUDIT
The group discussed portability, especially data portability.
Should only privileged processes write to audit logs? (The
consensus is, "Yes.") And how much should the record format be
standardized?
The October meeting will see a draft review, plus discussions on
event identification, classes, style and data representation,
and token grammar.
6. NEW GROUP: NETWORK/SYSTEM ADMINISTRATION
Because interconnectivity is at the heart of many security and
administration issues, "interconnectivity" between P1003.6,
P1003.7 (system administration), and P1003.8 (networking) had to
improve. A joint, evening meeting of the three groups set this
in motion, and five members of 1003.6 have signed up to review
drafts from the other two groups. They intend to begin working
on this area formally in October.
September 1989 Standards Update IEEE 1003.6: Security Extensions
Volume-Number: Volume 17, Number 42
More information about the Comp.std.unix
mailing list