Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!purdue!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!apple!longway!std-unix From: jsh@usenix.org (Jeffrey S. Haemer) Newsgroups: comp.std.unix Subject: Standards Update, IEEE 1003.6: Security Extensions Message-ID: <412@longway.TIC.COM> Date: 21 Oct 89 03:06:21 GMT Sender: std-unix@longway.TIC.COM Reply-To: std-unix@uunet.uu.net Organization: USENIX Standards Watchdog Committee Lines: 154 Approved: jsq@longway.tic.com (Moderator, John S. Quarterman) From: Jeffrey S. Haemer An Update on UNIX* and C Standards Activities September 1989 USENIX Standards Watchdog Committee Jeffrey S. Haemer, Report Editor IEEE 1003.6: Security Extensions Update Ana Maria de Alvare reports on the July 10-14, 1989 meeting, in San Jose, California: P1003.6 (security) is split into four main groups: privileges, mandatory access control (MAC), audit, and discretionary access control (DAC). In addition, there is a definitions group, whose charter is to define terms and to insure that definitions used by 1003.6 do not clash with definitions in other 1003 groups. 1. DEFINITIONS The definitions group reviewed all definitions new to draft two. The majority were from the audit group and were approved. Amusingly, the lone exception was the definition of "audit", which included an interpretation of an audit record; the definition group considered this to be outside the audit group's goals. The group also chose a global naming convention, PREFIX_FUNCTIONNAME, where PREFIX represents the security section/topic. Current prefixes are "priv_", "mac_", "aud_", and "acl_" (DAC). The same prefix rule extends to data structures (e.g. "priv_t"). 2. MAC Several issues were resolved. o+ A 'write up' standard will be neither restricted nor guaranteed. __________ * UNIX is a registered trademark of AT&T in the U.S. and other countries. September 1989 Standards Update IEEE 1003.6: Security Extensions - 2 - o+ The 'upgrade directories' function was dropped, since a 'write up' without a read does not guarantee success. o+ Change file label/level and change process label operations will be accepted for privileged processes o+ The MAC_PRESENT variable will be added to the sysconf, to indicate that a MAC mechanism is installed in the system. MAC_CONTROLLED and MAC_ALWAYS were also proposed. MAC_CONTROLLED would return the value of a file controlled by a MAC mechanism, and MAC_ALWAYS would indicate that all objects on the system contain associated MAC information. o+ A set of six privileges were defined: P_upgrade, P_covertchannel, P_MAC_READ, P_MAC_WRITE, P_LABEL_OBJ, P_LABEL_SUBJ. The last two might be folded under READ/WRITE privileges, however these two are the most sensitive of all. The next meeting will see discussions of SUN's multiple-level directories, the recalculation function, and information labels. The group will also review the .6 draft, the MAC common description language interface, and 1003.1/.1a. 3. PRIVILEGES The privilege group has defined interfaces for file privileges. For example, priv_fstate_t() will return whether privilege for the file is required, allowed, or forbidden. A process's privilege can be permitted, effective, or inheritable. Also, there is now a list of needed privileges, including PRIV_SETUID and PRIV_SETGID (set the uid and gid of a file or process), PRIV_FOWNER (change the owner uid of a file), PRIV_ADMIN (do administrative operations like unlinking a file), PRIV_RESOURCE (set the sticky bit or be able to use memory), DAC_READ/WRITE (override access search or read and access write) The process-privilege interface is still an open issue, and will be discussed in October. These three suggestions are on the table: 1. A function pair. priv_set_priv(id,attr,value) and valuet priv_get_priv(id,attr). (Something of type "valuet" can take on the values "required", "allowed", or "forbidden".) September 1989 Standards Update IEEE 1003.6: Security Extensions - 3 - 2. An interface to set or unset multiple privileges at a time. 3. A requirement that the operating system re-calculate privileges for each process every time that process manipulates an object. Next meeting, the privilege group will focus on developing functional interface descriptions in both English and in Common Descriptive Language (CDL). 4. DAC The DAC group decided to describe interfaces using a procedural interface. They defined the minimum set of functions required for access control lists (ACLs) -- open, close, write, sort, create_entry, get_entry, dup_entry, delete_entry, set_key, get_key, and add/delete permission -- and the minimum set of commands -- getacl and setacl. They also defined the needed privileges and passed their list to the privilege group. The October meeting will focus on polishing the current draft and addressing default ACL interfaces. 5. AUDIT The group discussed portability, especially data portability. Should only privileged processes write to audit logs? (The consensus is, "Yes.") And how much should the record format be standardized? The October meeting will see a draft review, plus discussions on event identification, classes, style and data representation, and token grammar. 6. NEW GROUP: NETWORK/SYSTEM ADMINISTRATION Because interconnectivity is at the heart of many security and administration issues, "interconnectivity" between P1003.6, P1003.7 (system administration), and P1003.8 (networking) had to improve. A joint, evening meeting of the three groups set this in motion, and five members of 1003.6 have signed up to review drafts from the other two groups. They intend to begin working on this area formally in October. September 1989 Standards Update IEEE 1003.6: Security Extensions Volume-Number: Volume 17, Number 42