The first step in assigning trust to a command or library routine is to determine whether it has enough access to the system to require trust. Some commands do not require privilege or access to sensitive information. Such commands need not be trusted, since they pose no threat.
Other commands either occasionally or routinely obtain access to sensitive operations, or create that access for themselves through mechanisms like the setuid-on-exec feature. These commands must be trusted, since they operate in a sensitive environment.
The rules dictating which commands need trust and which commands do not are straightforward, but matching a command to a rule may not be. The following command classes must always be trusted:
Deciding whether a command is ``used by administrative personnel'' or ``uses privilege'' can be difficult, since this distinction often varies from site to site and administrator to administrator.
Library routines have similar rules, but these routines are so pervasive the most reasonable rule is: each library routine must be trusted unless it can be shown not to be used by trusted code. This principle means that every element of a trusted command must itself be trusted. This principle includes the private routines within the command as well as all library routines used by the command.