Standards Update, IEEE 1003.6: Security Extensions

Jeffrey S. Haemer jsh at
Sat Oct 21 13:06:21 AEST 1989

From: Jeffrey S. Haemer <jsh at>


            An Update on UNIX* and C Standards Activities

                            September 1989

                 USENIX Standards Watchdog Committee

                   Jeffrey S. Haemer, Report Editor

IEEE 1003.6: Security Extensions Update

Ana Maria de Alvare <anamaria at> reports on the July
10-14, 1989 meeting, in San Jose, California:

P1003.6 (security) is split into four main groups: privileges,
mandatory access control (MAC), audit, and discretionary access
control (DAC).  In addition, there is a definitions group, whose
charter is to define terms and to insure that definitions used by
1003.6 do not clash with definitions in other 1003 groups.


      The definitions group reviewed all definitions new to draft two.
      The majority were from the audit group and were approved.
      Amusingly, the lone exception was the definition of "audit",
      which included an interpretation of an audit record; the
      definition group considered this to be outside the audit group's

      The group also chose a global naming convention,
      PREFIX_FUNCTIONNAME, where PREFIX represents the security
      section/topic.  Current prefixes are "priv_", "mac_", "aud_",
      and "acl_" (DAC).  The same prefix rule extends to data
      structures (e.g. "priv_t").

  2.  MAC

      Several issues were resolved.

         o+ A 'write up' standard will be neither restricted nor


  * UNIX is a registered trademark of AT&T in the U.S. and other

September 1989 Standards Update       IEEE 1003.6: Security Extensions

                                - 2 -

         o+ The 'upgrade directories' function was dropped, since a
           'write up' without a read does not guarantee success.

         o+ Change file label/level and change process label operations
           will be accepted for privileged processes

         o+ The MAC_PRESENT variable will be added to the sysconf, to
           indicate that a MAC mechanism is installed in the system.
           MAC_CONTROLLED and MAC_ALWAYS were also proposed.
           MAC_CONTROLLED would return the value of a file controlled
           by a MAC mechanism, and MAC_ALWAYS would indicate that all
           objects on the system contain associated MAC information.

         o+ A set of six privileges were defined: P_upgrade,
           P_covertchannel, P_MAC_READ, P_MAC_WRITE, P_LABEL_OBJ,
           P_LABEL_SUBJ.  The last two might be folded under
           READ/WRITE privileges, however these two are the most
           sensitive of all.

      The next meeting will see discussions of SUN's multiple-level
      directories, the recalculation function, and information labels.
      The group will also review the .6 draft, the MAC common
      description language interface, and 1003.1/.1a.


      The privilege group has defined interfaces for file privileges.
      For example, priv_fstate_t() will return whether privilege for
      the file is required, allowed, or forbidden.  A process's
      privilege can be permitted, effective, or inheritable.

      Also, there is now a list of needed privileges, including
      PRIV_SETUID and PRIV_SETGID (set the uid and gid of a file or
      process), PRIV_FOWNER (change the owner uid of a file),
      PRIV_ADMIN (do administrative operations like unlinking a file),
      PRIV_RESOURCE (set the sticky bit or be able to use memory),
      DAC_READ/WRITE (override access search or read and access write)

      The process-privilege interface is still an open issue, and will
      be discussed in October.  These three suggestions are on the

        1.  A function pair.  priv_set_priv(id,attr,value) and valuet
            priv_get_priv(id,attr).  (Something of type "valuet" can
            take on the values "required", "allowed", or "forbidden".)

September 1989 Standards Update       IEEE 1003.6: Security Extensions

                                - 3 -

        2.  An interface to set or unset multiple privileges at a

        3.  A requirement that the operating system re-calculate
            privileges for each process every time that process
            manipulates an object.

      Next meeting, the privilege group will focus on developing
      functional interface descriptions in both English and in Common
      Descriptive Language (CDL).

  4.  DAC

      The DAC group decided to describe interfaces using a procedural
      interface.  They defined the minimum set of functions required
      for access control lists (ACLs) -- open, close, write, sort,
      create_entry, get_entry, dup_entry, delete_entry, set_key,
      get_key, and add/delete permission -- and the minimum set of
      commands -- getacl and setacl.  They also defined the needed
      privileges and passed their list to the privilege group.  The
      October meeting will focus on polishing the current draft and
      addressing default ACL interfaces.

  5.  AUDIT

      The group discussed portability, especially data portability.
      Should only privileged processes write to audit logs?  (The
      consensus is, "Yes.") And how much should the record format be

      The October meeting will see a draft review, plus discussions on
      event identification, classes, style and data representation,
      and token grammar.


      Because interconnectivity is at the heart of many security and
      administration issues, "interconnectivity" between P1003.6,
      P1003.7 (system administration), and P1003.8 (networking) had to
      improve.  A joint, evening meeting of the three groups set this
      in motion, and five members of 1003.6 have signed up to review
      drafts from the other two groups.  They intend to begin working
      on this area formally in October.

September 1989 Standards Update       IEEE 1003.6: Security Extensions

Volume-Number: Volume 17, Number 42

More information about the Comp.std.unix mailing list