BRiX - Operating System

This is picking nits, but the current model of the super user being able to revoke all permissions except the permission to hand out permissions is weak. There is no perfect solution, but a better mechanism is that of MVS, which doesn't have the concept of a super user. While it looks as if BRiX's security model is pretty good, conceptially, something that could be done that would increase the system's security significantly is to have a separate user that controls permissions for the super user. IE, this user's /only/ role is to set the permissions of root. If root is locked down, then a cracker would have to break two accounts to compromise the system, rather than just one. This would also allow corporations to better audit their sysadmins.

Consider a situation where root is limited to certain maintenance operations, and is disallowed from accessing some sensitive documents area.

With a dual-identity core security system, you improve system security and provide a way of implementing an auditing mechanism which a sysadmin can't supercede.

BRiX does not have users at the execution level. The concept of users only exists in the user interface, admins just get to click more buttons than normal users.

Source is divided into three groups: user, library and system. Code that accessed I/O or that uses asm will be marked as system and must be approved before it can be installed. Code that calls system code is marked as library and all other code is user code. User code does not require admin approval but it can only call library and user code. These three groups only exist at compile-time and can't be hacked at runtime.

The ability to remove your own permissions is just a feature and not a security thing. A feature to protect the system from yourself. :)