A formal model for Unix setuid

The Unix setuid (set user identification) mechanism is described in the context of the GEMSOS architecture. Motivation for modeling setuid is given, and modeling and policy requirements for the control of the setuid mechanism are presented. The GEMSOS formal security policy model is compared with the Bell and LaPadula model. The Bell and LaPadula model is shown not to admit the actions of a setuid mechanism. Features of the GEMSOS DAC (discretionary access control) model are described that represent the actions of the Unix setuid mechanism while limiting their negative effect on the DAC policy.<<ETX>>

[1]  K. Thompson,et al.  The UNIX time-sharing system , 1978 .

[2]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[3]  Theodore M. P. Lee,et al.  Using mandatory integrity to enforce 'commercial' security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[4]  David Elliott Bell Security policy modeling for the next-generation packet switch , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[5]  Ken Thompson,et al.  The UNIX Time-Sharing System (Reprint). , 1983 .

[6]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.