In most current commercial operating systems an application shares resource namespaces with other applications running on the machine. The application's access to resources is mediated by a security mechanism that attaches an Access Control List (ACL) to each named resource. The ACL relates a user to a set of access rights for that particular resource. For example, the ACL for a particular resource may specify that user 1 is allowed read-write access to the resource and that user 2 is allowed read-only access to the resource.
In many known systems, when a process is created, the credentials of the user creating the process are associated with the process by the operating system. That is, typically an application, when running, is associated with the credentials of the user that started the application. Thus, if user 1 has access to files A through F and user 1 starts application X, application X will have access to files A through F, even if it only needs file B. A running application passes a resource to another running application by passing the name of the resource to the receiving application. As both the sending and the receiving application usually share a global namespace, this mechanism works, as long as the same user started both applications. If user 1 starts application X and application Y, and application X passes the name of file A to application Y, application Y will have access to file A because user 1 has access to file A. A problem may arise, however, when the receiving application has different credentials than the sending application. If one user starts the sending Application, and a second user starts the receiving application, the possibility exists that the receiving application will be unable to use the resource, because the ACL of the resource may not grant the second user the right to access the resource or may not grant the second user the same set of rights that the first user has.
One common mechanism employed to overcome this consequence of the ACL-based security system, is impersonation, which enables an application that receives a message to temporarily adopt the identity of the user who started the sending application. This enables access to be granted according to the access rights of the user who started the sending application. This approach may be problematic when the receiving application is not a trusted application because impersonation may provide the receiving application with access rights to resources the receiving application should not have.