[TUHS] Government-Issue UNIX?

GARY LUCKENBAUGH via TUHS tuhs at tuhs.org
Sat Oct 11 00:46:33 AEST 2025 

Very interesting. We didn't add fine grained privileges to Xenix until near the very end of the project, and I think it was just the CMW variant.  We picked them up from a reference implementation done at Mitre in the Boston area. I can't remember the name of the guy that built that, but I heard he got a promotion because he was successful in getting his technology transferred to a commercial  product. 

IBM sold us to Loral in 1994, so that explains why I never heard of the AT&T work. I was on loan to IBM Austin when we were sold, and I could have stayed with IBM if I moved there, but I had family on the east coast. 

I'm curious if the AT&T evaluation went smoother than the IBM one did. 

Gary Luckenbaugh 

Sent from my iPhone

> On Oct 10, 2025, at 9:47 AM, Theodore Ts'o via TUHS <tuhs at tuhs.org> wrote:
> 
> On Thu, Oct 09, 2025 at 09:11:08PM -0400, GARY LUCKENBAUGH via TUHS wrote:
>> I was the lead developer on IBM Secure Xenix. I designed all the
>> APIs and did much of the kernel work from Jan 1984 until 1989 when
>> we handed off the project to Steve Walker's Trusted Information
>> Systems.
> 
> Yes, there was a huge push in that era for the government to ask the
> computer industry again for "Secure Unix".  The catch phrase at the
> time was "B2 by '92".  That is, that there would be multiple Unix
> systems be available for sale to the US government which would meet
> the the B2 level as defined by the Orange Book.  (Multics could meet
> B3, but it was pretty clear that Unix could never achieve B3, but it
> was hoped that B2 was achievable.)  More information about this can be
> found here:
> 
> [1] https://bitsavers.computerhistory.org/pdf/sdc/adept-50/Lipner_-_The_Birth_and_Death_of_the_Orange_Book_2015.pdf
> 
> There was an attempt to standardize the necessary interfaces in Posix.
> This was Posix.1e, and it got as far as Draft 17 before it was abandoned.   Casey Schaufler was the last technical editor of Posix.1e before the plug was pulled and described the reasons why here[2].
> 
> [2] https://groups.google.com/g/comp.security.unix/c/gfyLMetqubs/m/5tBrcPuJA0gJ
> 
> The short version is that there wasn't any commercial demand for
> Secure Unix, and while there were implementations of early drafts
> Posix Capabilities in Solaris, AIX, etc., it became clear that there
> wasn't enough of a market for the feature, and one by one, companies
> abandoned the effort.
> 
> Linux does have an implementation of the last draft of Posix.1e, but
> and there is some use of it, but one of the problems is that the Posix
> capabilities were insufficiently granular.  In particular,
> CAP_SYs_ADMIN is pretty much as good as root.  There is some use of it
> to only give certain programs CAP_NET_RAW (for example) instead of
> root, but the ability to have doing a large number of capability
> modulation has pretty much been proved to be not workable.
> 
> You can make the ping program no longer be setuid root, but set a
> POSIX capability effective mask so that CAP_NET_RAW is raised when
> ping is started, but would this compelling enough for a customer to
> switch from, say Solaris to AIX?  Not really.  So it's not surprising
> that companies weren't interested paying engineers to travel to
> POSIX.1e standards meetings, and to make all of the changes in the
> broader Unix userspace and appllication ecosystem to support the full
> POSIX capabilities vision.
> 
>                        - Ted

More information about the TUHS mailing list