When a process runs in a DAC-based operating system, it invokes several system calls. These system calls can retrieve as well as alter user data and kernel data. Hence they are the main points of risk for system security. If the process is restricted in terms of its access of the system calls, damage can be prevented. In the PBS operating system, there exists a “PBS-specific access right” related to every system call in the kernel. These access rights are in addition to the standard rights defined in Linux operating system. Thus, a process can access the system call only if it has the particular PBS-specific access right.

Since the security is implemented at the kernel level, it is impossible for a user, even a trusted user, to compromise the system. Even if a user attains primary administrator access rights by social engineering or some other means, any system damage will be limited to that one particular process and then only from an application level, not a system level.

In PBS, the only point of risk that remains to be considered is how the access rights are assigned to the process. PBS has a set number of processes which can run in the system, each of which has a predefined set of access rights listed in a file containing the access control list (ACL file). When installing a program onto the system a Master Administrator (defined as the person who builds the original system image), determines the PBS-specific access rights needed for the execution of the program. An entry is accordingly made in the ACL file. This file contains the list of programs that can be safely executed in the system and the PBS-specific access rights required for each program. Thus, when a program starts running in the PBS system, a check is made to verify if it has the access rights specified in the ACL file. Additionally, user-level authentication is implemented for another layer of security.

Due to this restrictive nature of the PBS operating system, the number of processes running at any time is limited to only those that are absolutely needed for the web server or mail server or any other service running in the PBS environment. Although this reduces the flexibility, it increases the security by limiting the potential points of failure.

Run Time Loading of a Process into the PBS System