108 CHAPTER 8. CASE STUDY: SOLARIS TRUSTED EXTENSIONS zones. There are no privileges available for any process in a labeled zone to write to lower-level files. However, such policies as reading from files in lower-level zones, exporting directories to higher- level zones, and moving files into higher level zones can be enabled by specifying the privileges available to each zone when it is booted 1 . Privileges available to a zone can, in turn, be assigned to processes in the zone. However, a zone’s privilege limit is an upper bound that applies to all processes even root-owned that are run in the zone. All policies that affect multiple zones, such as sharing of directories, are administered via the Trusted Path. If multiple users are running processes at the same MLS label, these processes run in the same zone and are controlled using traditional DAC policies within the zone. Of course, the communi- cations that these processes can make are controlled by the MLS policies on the zone as described above.

8.4 PROCESS RIGHTS MANAGEMENT PRIVILEGES

The Solaris operating system implements a set of privileges that provide fine-grained control over the actions of processes. Traditionally, Unix-based systems have relied on the concept of a specially- identified, super-user, called root.This concept of a Unix super-user has been replaced in a backward compatible manner with the ability to grant one or more specific privileges that enable processes to perform otherwise restricted operations. The privilege-based security model is equally applicable to processes running under user id 0 root or under any other user id. For root-owned processes, the ability to access and modify critical system resources is restricted by removing privileges from these processes. For user-owned processes privileges are added to explicitly allow them to access such critical resources. The implications for such privilege-aware processes are both, that root processes can run more safely because their powers are limited, and that many processes that formerly required to be root processes can now be executed by regular users by simply giving them the additionally required privileges. Experience with modifying a large set of Solaris programs to be privilege-aware revealed an interesting fact. Most programs that formerly required to be executed as user root require only very few additional privileges and in many cases require them only once before they can be relinquished. The change to a primarily privilege-based security model in the Solaris operating system gives developers an opportunity to restrict processes to those privileged operations actually needed instead of having to choose between all super-user or no privileges non-zero UIDs. Additionally, a set of previously unrestricted operations now require a privilege; these privileges are dubbed the basic privileges. These are privileges that used to be always available to unprivileged processes. By default, processes still have the basic privileges. 1 The policy for reading down is configurable because it is not always appropriate. For example, it could result in processes at a higher level executing lower-level applications which manipulate the higher-level data. One way to mitigate that risk is to configure the zone without the privilege to do read down mounts. An additional way is to specify the noexec mount option for lower-level mounts.

8.4. PROCESS RIGHTS MANAGEMENT PRIVILEGES 109

The single, all-powerful UID 0 assigned to a root process has been replaced with at least 68 discrete privileges that can be individually assigned to processes using the Service Management Fa- cility SMF, Role-based Access Control RBAC, or a command-line program, such as ppriv1. Taken together, all defined privileges with the exception of the basic privileges compose the set of privileges that are traditionally associated with the root user. The basic privileges are privileges unprivileged processes were accustomed to having. The privilege implementation in Solaris extends the process credential with four privilege sets: • I, the inheritable set: The privileges inherited on exec. • P, the permitted set: The maximum set of privileges for the process. • E, the effective set: The privileges currently in effect. • L, the limit set: The upper bound of the privileges a process and its offspring can obtain. Changes to L take effect on the next exec. As shown in Figure 8.2, the sets I , P and E are typically identical to the basic set of privileges for unprivileged processes. The limit set is typically the full set of privileges. Permitted Inheritable Limit Effective Figure 8.2: The relationship among Solaris privilege sets.

8.4.1 PRIVILEGE BRACKETING AND RELINQUISHING

The implementation of Solaris privileges empowers application developers to control how privileges are used within their programs. Using a technique called privilege bracketing, developers can write