Trust and privilege

Edit online

A process can bypass basic security restrictions (MAC, MIC, DAC, and other restricted operations) only if the process is adequately privileged. Any process that is running with a privilege or privileges is called a privileged process and the program that the process is running is called a privileged (trusted) program.

The term privilege refers to an individual attribute that allows a process to perform a security-related operation. Trusted AIX® identifies and groups certain security operations and associates a distinct privilege with each operation. This effectively removes the superuser (or root) privilege from the base system. Privileges are associated with processes and executable files.

Programs must be trusted under the following circumstances:

The program is configured or is intended to run as a privileged process. This applies to any program that is intended to be run by a privileged process.
The program is relied upon by another trusted program in making security decisions. For example, a program that alters a sensitive database must be trusted if other programs rely on the data in the database to make a security decision.

It is important to ensure that untrusted programs can never run as privileged processes. There are several ways to prevent untrusted programs from running as privileged processes:

Do not normally allow privileged processes to execute untrusted programs. For example, caution users running privileged shell-like programs not to run untrusted programs in a privileged shell-like program.
Never allow innate, inherited, or authorized privileges for untrusted executable files.

All portions of the operating system kernel, including device drivers, STREAMS modules, and kernel extensions, must be trusted. Data objects such as files and physical devices are also considered trusted if they contain information relied on by a trusted program to make security decisions.