This research paper describes the modifications made to Xenix to provide a more secure operating system. It lays out the design considerations involved and how these affect the modifications to the computer. The abstract details are buttressed with examples of problems and how these are dealt with. The paper concludes with a discussion of lessons learned.

On the whole, this paper does what it intends to do. It is fairly complete (more so than most like it) and looks at many of the troublesome problems faced by designers of secure UNIX-based computer systems. Unfortunately, this paper is too short; it raises questions not answered, and the section on mandatory access controls uses terminology explained later.

Here is an example of an unanswered question: In a discussion of setuid, the authors state that the setuid privilege is dropped whenever a setuid program opens a file for writing. In the discussion of the line-printer spooling system, the authors write that the spooler (which is setuid to a pseudo-user “lp”) creates a work request file in the spool directory, changes its effective user id to the invoker, and copies the user’s data into the file. (This is allowed because “the [spooler] retains the file descriptor of the work request file just created after it has reset the effective user id.”) They fail to explain why other setuid programs could not do something similar.