User Permission Isolation Model Oriented to Service Process

(Abstract )In order to solve the unnecessary root users in the operating system services, a user permission isolation model is proposed. Based on the mapping link among users, isolated domains and program modules according to the security level, associated with the use of virtualization, isolated runtime environments are constructed for different users. The model gives formal definition of user isolated domain and the key mechanisms for its implementation. The model realizes least privilege principle for the isolated domain, and the paper gives the conclusion that potential root users are eliminated in the isolated domains. (Key words )least permission; virtualization; isolation; privileged user; domain; system service DOI: 10.3969/j.issn.100003428.2011.23.048