A system administrator controls a user's access to the resources of a computer system by assigning access rights to the user in a security system. One such system is a Role-Based Access Control (RBAC) system. The RBAC uses authorizations, roles, and privileges to grant rights according to different levels of functionality for different classes of users. Roles are a set of functions unique to a particular class of users of the computer system, and multiple authorizations may be assigned to a role in order to allow users under that role to perform the requisite functions unique to the particular class of users. Privileges are a part of the RBAC system that provide fine granular control of the system functions. A user acquires privileges based on authorizations granted to their role. Regular users are allowed access to various functions when they have relevant privileges. Privileges are typically mapped to bit masks and are used in the kernel space of the operating system to achieve privileged function specific security controls.
A problem arises in the RBAC system in regard to assignment of privileges. In an RBAC system, a user runs a command that has various sub-commands in which some of the sub-commands are ordinary commands while others are privileged sub-commands. For a user to run the command, the user's role must have an authorization. When the user is authorized to run the command, the operating system will assign the command with all the privileges required for running each privileged sub-command within the command. For example, one possible RBAC system of authorizations and privileges is shown below:
cmdA:accessauths = AuthABCinnateprivs = privread, privexecuteinheritprivs = priv1, priv2cmd1:accessauths = auth1innateprivs = priv1cmd2:accessauths = auth2innateprivs = priv2As used herein command shall have the same meaning as process, program, shell script, or parent, and sub-command shall have the same meaning as sub-process, sub-program, script, or child.
Referring to the above example, cmdA requires an access authorization, AuthABC, to be assigned to the user in order for the operating system to run the command. Additionally, cmdA also requires that the privileges, innateprivs and inheritprivs, be assigned to the user so that the sub-commands can be run. Innate privileges are privileges assigned to the command when the operating system determines that the command has the proper authorization. Inherit privileges are privileges that a command passes on to its sub-commands.
In general, various commands run through multiple sub-commands for sequential execution. The sub-commands may be either ordinary commands or privileged commands. Ordinary sub-commands do not require any authorization in order to execute, while privileged sub-commands require that the user be authorized to execute each of the privileged subcommands. In an RBAC system, the command gains all of the accumulated authorizations needed to run each of the sequentially executed privileged sub-commands Thus, when an authorization is assigned to a role, and correspondingly to the users associated with that role, those users are free to use the authorization from any context. In other words, a user with an authorization to execute a privileged sub-command could use the sub-command from any command, or directly from the command line. An sub-command executed by an authorized user run with privileges throughout its lifetime creates a security risk. Therefore, a need exists for a way to eliminate this security risk by restricting the execution of privileged sub-commands only in the context of the execution of the sub-command and only during the time the command actually runs the sub-command.