In
computer programming and
computer security, privilege separation is one software-based technique for implementing the
principle of least privilege. With privilege separation, a
program is divided into parts which are limited to the specific
privileges
Privilege may refer to:
Arts and entertainment
* ''Privilege'' (film), a 1967 film directed by Peter Watkins
* ''Privilege'' (Ivor Cutler album), 1983
* ''Privilege'' (Television Personalities album), 1990
* ''Privilege (Abridged)'', an alb ...
they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security vulnerability.
A common method to implement privilege separation is to have a computer program
fork into two
processes. The main program drops
privileges
Privilege may refer to:
Arts and entertainment
* ''Privilege'' (film), a 1967 film directed by Peter Watkins
* ''Privilege'' (Ivor Cutler album), 1983
* ''Privilege'' (Television Personalities album), 1990
* ''Privilege (Abridged)'', an alb ...
, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a
socket pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.
Privilege separation is traditionally accomplished by distinguishing a ''real''
user ID/
group ID
In Unix-like systems, multiple users can be put into ''groups''. POSIX and conventional Unix file system permissions are organized into three classes, ''user'', ''group'', and ''others''. The use of groups allows additional abilities to be delega ...
from the ''effective'' user ID/group ID, using the
setuid(2)/
setgid(2) and related
system calls, which were specified by
POSIX. If these are incorrectly positioned, gaps can allow widespread network penetration.
Many
network service
daemons have to do a specific privileged operation such as open a
raw socket or an
Internet socket in the
well known ports range. Administrative
utilities can require particular privileges at
run-time as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as ''dropping root'' under
Unix-like operating systems. The unprivileged part is usually run under the "
nobody" user or an equivalent separate user account.
Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using
file system permissions. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a
crash in the less privileged part cannot be
exploited to gain privileges, merely to cause a
denial-of-service attack).
Separation of privileges is one of the major
OpenBSD security features. The implementation of
Postfix was focused on implementing comprehensive privilege separation. Another email server software designed with privilege separation and security in mind is
Dovecot.
Solaris implements a separate set of functions for
privilege bracketing.
See also
*
Capability-based security
*
Confused deputy problem
*
Privilege escalation
*
Privilege revocation (computing)
*
Defensive programming
*
Sandbox (computer security)
External links
*
Theo de RaadtExploit Mitigation Techniques in OpenBSDslides
*
Niels Provos,
Markus Friedl,
Peter Honeyman
Peter may refer to:
People
* List of people named Peter, a list of people and fictional characters with the given name
* Peter (given name)
** Saint Peter (died 60s), apostle of Jesus, leader of the early Christian Church
* Peter (surname), a sur ...
Preventing Privilege Escalationpaper
*
Niels ProvosPrivilege Separated OpenSSHproject
{{DEFAULTSORT:Privilege Separation
Computer security procedures