Implementing Execution Controls in Unix

Current implementations of UNIX offer security features in the form of discretionary access controls (DACs). DACs are implemented with file access permissions and access control lists (ACLs). Unfortunately, neither of these facilities provide for access control to active processes. In order to provide many users access to a process (and its associated data) the current practice at our site is to establish a group account, where members on a project team share the login and password for an application. This practice is both insecure [cur90][fer93], and a violation of our site’s security policies. This paper describes the implementation of a new tool, medex, which eliminates the need for group login accounts. Medex mediates the access of users to privileged accounts and executables. The history behind our use of group accounts and a complete methodology for UNIX application management are presented. Details of the implementation of medex, including its interaction with the existing security features of UNIX, are given. The tool utilizes execution control lists (ECLs) as a means to allow controlled execution of programs under accounts other than the current login. Medex also re-authenticates the user’s password upon each instantiation and maintains an audit trail via log files or the use of the UNIX syslog facility. A complete project management example utilizing medex is given along with a comparison to related tools.