Administering privilege

The traditional privilege model

In UNIX System V Release 4 and previous releases, the restriction of privilege is implemented by designating a special user identifier (UID) of 0; the login name historically associated with this UID is root.

When an individual logs in as root, that individual has unrestricted access to every file on the system, and the ability to perform operations that alter system operation. On such systems, commands performing sensitive system operations check to see whether the effective UID of the process requesting the operation is 0. If it is, the user process can perform any operation.

The root login in Release 4 and previous releases possesses, in effect, the one privilege necessary to override all system restrictions on command execution and access: the superuser privilege.

In the traditional privilege model, the privilege check is simple: if a process has an effective UID of 0, it has privilege and can override system restrictions. If the effective UID is not 0, the process has no privilege and cannot override any system restrictions. Any child process spawned by a process with a UID of 0 has unlimited system access; that is, the child processes inherit the privileges of the parent. When a user process attempts a sensitive system operation, the system checks the effective UID of the process. If it is 0, the child process spawned is given unlimited access to the system.

This type of privilege mechanism is a UID-based privilege mechanism and has one privilege: the superuser privilege. The inheritance policy employed is a simple one: each process with an effective UID of 0 is given unlimited system access.

There are some obvious problems with this mechanism. If a user is somehow able to gain superuser status, they will automatically be able to perform any operation on the system, whether they are authorized to do so or not. Additionally, users with a legitimate need to override a single system restriction may have to be given the power to override any system restriction by becoming superuser. This is done by either giving the user the root password, or setting the application the user needs to run set-UID to root. Privilege is an all or nothing quantity.

Next topic: The current privilege model
Previous topic: Administering privilege

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004