[Public Interpretations Database]

I-0168: Job initiation under different identity

 
NUMBER:               I-0168
STATUS:               Withdrawn
REASON:               Upon review, the IWG decided the interpretation was not
                      useful and represented criteria creep.

TITLE:                Job initiation under different identity

FIRST POST:            [criteria 2087]

REQUIREMENT:          Identification and Authentication
CRITERIA CLASSES:     C1, C2, B1, B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:
     I-0273           Auditing of Delayed Execution Jobs
     I-0001           Delayed Enforcement Of Authorization Change

STATEMENT:

The following interprets the entire Identification and Authentication requirement.

If a user (the "submitting" user) has the privilege to initiate jobs to be run under the identity of another user (the "target" user), the product shall not require the submitting user to provide the target user's authentication data to initiate the job. At the time of submittal, the TCB must ensure that both the submitting and target users are known to the system; furthermore, at B1-A1, the TCB must ensure that security label at which the submitted job will execute is within the clearance range of the target user.

PROJECTED IMPACT:

Minimal. It is expected that all currently evaluated systems will meet this interpretation.

SUPPORT:

Authentication data should only be known by the user being authenticated, therefore, we do not want users collecting passwords for any jobs they might spawn for other users. This situation has most often occurred on mainframes where operators sometimes have to spawn jobs for other users. The organization's act of giving a user the privilege to spawn jobs for other users says that they have the necessary trust in that user to enforce the security policies.

Note that the wording also applies to setuid programs in the Unix paradigm. For those programs, the target user explictly grants permission for other users (as defined by the execute permission bits) to execute programs under their identity without authentication.

The checks made by the TCB under this interpretation are performed at the time the job is submitted. There are additional checks necessary when the job is executed; these checks are covered by interp 303. If the job is executed at the time of submittal, the two sets of checks will collapse into a single set of checks.