Principle of least privilege
In
In other words, this means giving a user only those privileges which are absolutely essential to do his/her work. For example, a backup user need not install software. Hence the backup user has rights only to run backup and backup-related applications. Any other privileges like installing software etc. are blocked. The principal applies also to a single home PC user where he always does work in a normal user account, and opens his admin account (password protected with greater access) only when the situation absolutely demands it.
When applied to
Usage
The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (
The principle of least privilege is also known as the principle of least authority (POLA).
The
If execution picks up, after the crash, by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs — or even if execution picks up from an unexpected location — what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In
Least privilege is widely misunderstood and, in particular, is almost always confused with the
Least privilege is often associated with
As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of
Historically, the oldest instance of least privilege is probably the source code of login.c, which begins execution with
Benefits
Limitations
In practice, true least privilege is neither definable nor possible to enforce. Currently, there is no method that allows evaluation of a process to define the least amount of privileges it will need to perform its function. This is because it is not possible to know all the values of variables it may process, addresses it will need, or the precise time such things will be required. Currently, the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary. The resulting set of privileges still exceeds the true minimum required privileges for the process.
Another limitation is the granularity of control that the operating environment has over privileges for an individual process. In practice, it is rarely possible to control a process' access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.
History
The original formulation is from Jerome Saltzer:
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. (Protection and the Control of Information Sharing in Multics, CACM 1974, volume 17, issue 7, page 389)
Dynamic assignments of privileges was earlier discussed by
See also
References
- Ben Mankin, The Formalisation of Protection Systems, Ph. D thesis, University of Bath, 2004
- P. J. Denning (December 1976). "Fault tolerant operating systems". ACM Computing Surveys 8 (4): 359–389. doi:10.1145/356678.356680. ISSN 0360-0300. http://portal.acm.org/citation.cfm?id=356680&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618.
- Jerry H. Saltzer, Mike D. Schroeder (September 1975). "The protection of information in computer systems". Proceedings of the IEEE 63 (9): 1278–1308. doi:10.1109/PROC.1975.9939. http://web.mit.edu/Saltzer/www/publications/protection/.
- Deitel, Harvey M.. An introduction to operating systems (revisited first ed.). Addison-Wesley. p. 673. ISBN 0-201-14502-2. http://portal.acm.org/citation.cfm?id=79046&dl=GUIDE&coll=GUIDE. page 31.
External links
- The Saltzer and Schroeder paper cited in the references.
- NSA (the one that implemented SELinux) talks about the principle of least privilege
- A discussion of the implementation of the principle of least privilege in Solaris
- "Proof that LUA makes you safer" by Dana Epp
- Applying the Principle of Least Privilege to User Accounts on Windows XP, by Microsoft
- Privilege Bracketing in the Solaris 10 Operating System, Sun Microsystems
Retrieved from : http://en.wikipedia.org/wiki/Principle_of_least_privilege