In computer security, privilege bracketing is a temporary increase in software privilege within a process to perform a specific function, assuming those necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly avoiding fallout from erroneous code that unintentionally exploits more privilege than is merited. It is an example of the use of

principle of least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...

defensive programming Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unf ...

. It should be distinguished from

privilege separation In computer programming and computer security, privilege separation is one software-based technique for implementing the principle of least privilege. With privilege separation, a program is divided into parts which are limited to the specific pri ...

, which is a much more effective security measure that separates the privileged parts of the system from its unprivileged parts by putting them into different processes, as opposed to switching between them within a single process. An known example of privilege bracketing is in Debian/Ubuntu: using the 'sudo' tool to temporarily acquire 'root' privileges to perform an administrative command. A Microsoft Powershell equivalent is "Just In Time, Just Enough Admin".

References

Computer security procedures {{computer-security-stub

See also

References