Powerful applications can be implemented using command scripts. A command script is a program written by one user, called a writer, and made available to another user, called the reader, who executes the script. For instance, command scripts could be used by Mosaic, the popular World-wide Web browsing tool, to provide fancy interfaces to services, such as banking, shopping, etc. However, the use of command scripts presents a serious security problem. A command script is run with the reader's access rights, so a writer can use a command script to gain unauthorized access to the reader's data and applications. Existing solutions to the problem either severely restrict I O capability of scripts, limiting the range of applications that can be supported, or permit all I O to scripts, potentially compromising the security of the reader's data. We de ne a discretionary access control model that permits users to exibly limit the access rights of the processes that execute a com...