[TUHS] Government-Issue UNIX?

Theodore Ts'o via TUHS tuhs at tuhs.org
Fri Oct 10 23:46:53 AEST 2025 

On Thu, Oct 09, 2025 at 09:11:08PM -0400, GARY LUCKENBAUGH via TUHS wrote:
> I was the lead developer on IBM Secure Xenix. I designed all the
> APIs and did much of the kernel work from Jan 1984 until 1989 when
> we handed off the project to Steve Walker's Trusted Information
> Systems.

Yes, there was a huge push in that era for the government to ask the
computer industry again for "Secure Unix".  The catch phrase at the
time was "B2 by '92".  That is, that there would be multiple Unix
systems be available for sale to the US government which would meet
the the B2 level as defined by the Orange Book.  (Multics could meet
B3, but it was pretty clear that Unix could never achieve B3, but it
was hoped that B2 was achievable.)  More information about this can be
found here:

[1] https://bitsavers.computerhistory.org/pdf/sdc/adept-50/Lipner_-_The_Birth_and_Death_of_the_Orange_Book_2015.pdf

There was an attempt to standardize the necessary interfaces in Posix.
This was Posix.1e, and it got as far as Draft 17 before it was abandoned.   Casey Schaufler was the last technical editor of Posix.1e before the plug was pulled and described the reasons why here[2].

[2] https://groups.google.com/g/comp.security.unix/c/gfyLMetqubs/m/5tBrcPuJA0gJ

The short version is that there wasn't any commercial demand for
Secure Unix, and while there were implementations of early drafts
Posix Capabilities in Solaris, AIX, etc., it became clear that there
wasn't enough of a market for the feature, and one by one, companies
abandoned the effort.

Linux does have an implementation of the last draft of Posix.1e, but
and there is some use of it, but one of the problems is that the Posix
capabilities were insufficiently granular.  In particular,
CAP_SYs_ADMIN is pretty much as good as root.  There is some use of it
to only give certain programs CAP_NET_RAW (for example) instead of
root, but the ability to have doing a large number of capability
modulation has pretty much been proved to be not workable.

You can make the ping program no longer be setuid root, but set a
POSIX capability effective mask so that CAP_NET_RAW is raised when
ping is started, but would this compelling enough for a customer to
switch from, say Solaris to AIX?  Not really.  So it's not surprising
that companies weren't interested paying engineers to travel to
POSIX.1e standards meetings, and to make all of the changes in the
broader Unix userspace and appllication ecosystem to support the full
POSIX capabilities vision.

						- Ted

More information about the TUHS mailing list