HOME

TheInfoList



Click Here for Items Related To - privilege separation
OR:
privilege separation on:   [Wikipedia]   [Google]   [Amazon]

In
computer programming Computer programming is the process of performing a particular computation (or more generally, accomplishing a specific computing result), usually by designing and building an executable computer program. Programming involves tasks such as anal ...
and
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
, privilege separation is one software-based technique for implementing the principle of least privilege. With privilege separation, a program is divided into parts which are limited to the specific
privileges Privilege may refer to: Arts and entertainment * ''Privilege'' (film), a 1967 film directed by Peter Watkins * ''Privilege'' (Ivor Cutler album), 1983 * ''Privilege'' (Television Personalities album), 1990 * ''Privilege (Abridged)'', an alb ...
they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security vulnerability. A common method to implement privilege separation is to have a computer program
fork In cutlery or kitchenware, a fork (from la, furca ' pitchfork') is a utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tines with which one can spear foods ...
into two
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...
es. The main program drops
privileges Privilege may refer to: Arts and entertainment * ''Privilege'' (film), a 1967 film directed by Peter Watkins * ''Privilege'' (Ivor Cutler album), 1983 * ''Privilege'' (Television Personalities album), 1990 * ''Privilege (Abridged)'', an alb ...
, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations. Privilege separation is traditionally accomplished by distinguishing a ''real''
user ID Unix-like operating systems identify a user by a value called a user identifier, often abbreviated to user ID or UID. The UID, along with the group identifier (GID) and other access control criteria, is used to determine which system resources a us ...
/ group ID from the ''effective'' user ID/group ID, using the
setuid The Unix access rights flags setuid and setgid (short for ''set user identity'' and ''set group identity'') allow users to run an executable with the file system permissions of the executable's owner or group respectively and to change behaviour ...
(2)/ setgid(2) and related
system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...
s, which were specified by
POSIX The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming inte ...
. If these are incorrectly positioned, gaps can allow widespread network penetration. Many network service daemons have to do a specific privileged operation such as open a raw socket or an Internet socket in the well known ports range. Administrative
utilities A public utility company (usually just utility) is an organization that maintains the infrastructure for a public service (often also providing a service using that infrastructure). Public utilities are subject to forms of public control and ...
can require particular privileges at run-time as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as ''dropping root'' under
Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
s. The unprivileged part is usually run under the " nobody" user or an equivalent separate user account. Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using
file system permissions Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...
. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a crash in the less privileged part cannot be exploited to gain privileges, merely to cause a
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...
). Separation of privileges is one of the major
OpenBSD security features The OpenBSD operating system focuses on computer security, security and the development of security features. According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licen ...
. The implementation of Postfix was focused on implementing comprehensive privilege separation. Another email server software designed with privilege separation and security in mind is Dovecot. Solaris implements a separate set of functions for privilege bracketing.


See also

*
Capability-based security Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that refe ...
*
Confused deputy problem In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused depu ...
* Privilege escalation * Privilege revocation (computing) * Defensive programming *
Sandbox (computer security) In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children ...


External links

*
Theo de Raadt Theo de Raadt (; ; born May 19, 1968) is a South African-born software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects and was also a founding member of NetBSD. In 2004, De Raadt wo ...

Exploit Mitigation Techniques in OpenBSD
slides * Niels Provos, Markus Friedl, Peter Honeyman
Preventing Privilege Escalation
paper * Niels Provos
Privilege Separated OpenSSH
project

{{DEFAULTSORT:Privilege Separation Computer security procedures