The high cost of equipment in the early days of computing led to the development of time-shared computing systems that allowed multiple concurrent users to simultaneously access the computer systems. User accounts encapsulate the information particular to each individual user, such as the user's name, password, area of transient and persistent storage, configuration information, resource-usage quotas and other properties to be enforced on the user's behavior. By using user accounts, time sharing could be implemented without compromising the systems usability. Whereas previous computer system operations always directly affected the global state of the machine, operations on a user's behalf in systems implementing user accounts typically affect only the information in the user's account. In this manner, each user's actions became isolated from other users since, for the most part, they only affected the individual user's account information.
FIG. 1 illustrates the components in a conventional computer system implementing user accounts. Each operation that involves accessing the state of the system is discriminated to determine if the state being accessed is local to an individual user account or global to the entire system (and therefore shared between all user accounts). If access is to a user-local state, the discrimination procedure determines the context of the access operation, that is, which user's account information to access. In conventional systems, context may be determined by, for example, using a low-level indirection (for memory accesses), the current virtual memory page tables, or a user account reference in each process or thread control block (for system calls).
Since their invention, user accounts have proven very useful. They enhance usability when multiple individuals simultaneously use a computing system and allow for segregation of system activity based on intent. For example, conventional systems may use a supervisor user account, called “root,” to run background services. Also, web-server activities may operate as “nobody,” that is, a user account with very limited privileges. Additionally, user accounts are integral to maintaining the security of a multiple user computer system since they may be used to control which data a user may access or actions a user may perform.
User accounts allow multiple users on a computer or network to have access to resources based on the user's profile (security permissions, preferences, etc). Each user account has limited access to a set of resources and the account's use of those resources is protected from activity in other user accounts. For example, a network file system is a hierarchical collection of named resources (such as files and directories). Access to any part of the file system is regulated based on permissions applied to user accounts. If a directory is readable only by one user account, processes running in another user account will not be able to access the directory or any resources located (hierarchically) beneath it. In most conventional systems, actors in another user account cannot affect any resources anywhere below this protected directory. There are, of course, exceptions to this protection: some supervisory or administrative accounts (such as “root”) may be able to circumvent permissions applied by other user accounts.
Modern operating systems also run each process in its own protected segment of memory. A process generally cannot access memory outside of its own protected area, and thus cannot insert or modify code running in another section of memory. Furthermore, if a process performs some malicious behavior or executes illegal instructions, the scope of the behavior is limited to the memory assigned to the process. It is typically not possible, for example, for the process to cause another process to execute arbitrary instructions.
Protected memory helps to isolate the instructions that a process executes, but it does not in itself prevent a process from accessing and modifying other system resources. User accounts can be used to limit the effects of actors, but only at the expense of preventing actors from doing potentially useful things. For example, if a user receives a spreadsheet in email, but the application is prevented from opening the spreadsheet with the actual user's preference to use very large fonts because of a vision impairment, the spreadsheet is not useful to the user. The user should be able to open this document in a spreadsheet application that knows all of the user's preferences (which are stored somewhere in the user's account). In fact, most conventional approaches to computer security, such as setting “user security preferences,” using access control boundaries or restricted tokens in an operating system, or creating virtual environments, also have the undesirable side effect of limiting the actions of the user thereby decreasing the functionality and usability of applications.