Privilege separation

Privilege separation

In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security attack.

A common method to implement privilege separation is to have a computer program fork into two processes. The main program drops privileges, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.

Privilege separation is traditionally accomplished by distinguishing a "real" user ID/group ID from the "effective" user ID/group ID, using the setuid(2)/setgid(2) and related system calls, which were specified by POSIX.

Many network service daemons have to do a specific privileged operation such as open a raw socket or an Internet socket in the well known ports range. Administrative utilities can require particular privileges at runtime as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as "dropping root" under Unix-like operating systems. The unprivileged part is usually run under the "nobody" user or an equivalent separate user account.

Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using file system permissions. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a crash in the less privileged part cannot be exploited to gain privileges, merely to cause a denial-of-service attack).

Separation of privileges is one of the major OpenBSD security features. The implementation of Postfix was focused on implementing comprehensive privilege separation. Solaris implements a separate set of functions for "privilege bracketing".

ee also

* Principle of least privilege
* Capability-based security
* Confused deputy problem
* Privilege escalation
* Privilege revocation
* Defensive programming

External links

*Theo de Raadt: [http://www.openbsd.org/papers/ven05-deraadt/ Exploit Mitigation Techniques in OpenBSD] slides
*Niels Provos, Markus Friedl, Peter Honeyman: [http://niels.xtdnet.nl/papers/privsep.pdf Preventing Privilege Escalation] paper
*Niels Provos: [http://www.citi.umich.edu/u/provos/ssh/privsep.html Privilege Separated OpenSSH] project
* [http://docs.sun.com/app/docs/doc/816-1042/6m7g4ma52?a=view Trusted Solaris Developer's Guide: Bracketing Effective Privileges]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Privilege escalation — is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application… …   Wikipedia

  • Privilege revocation — is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away. Information theory Honoring the Principle of least privilege at a granularity provided by the base system… …   Wikipedia

  • séparation — [ separasjɔ̃ ] n. f. • 1314; lat. separatio 1 ♦ Action de séparer, de se séparer, fait d être séparé. ⇒ désagrégation, disjonction, dislocation, dispersion; dis . La séparation des éléments d un mélange. Séparation des isotopes (à partir d un… …   Encyclopédie Universelle

  • privilege — priv·i·lege n [Latin privilegium law affecting a specific person, special right, from privus private + leg lex law] 1: a right, license, or exemption from duty or liability granted as a special benefit, advantage, or favor: as a: an exemption… …   Law dictionary

  • Separation des pouvoirs — Séparation des pouvoirs La séparation des pouvoirs est un principe de répartition des différentes fonctions de l État, qui sont confiées à différentes composantes de ce dernier. On retient le plus souvent la classification de Montesquieu, appelée …   Wikipédia en Français

  • Separation de l'Eglise et de l'Etat — Séparation de l Église et de l État Demande de traduction Separation of church and state → …   Wikipédia en Français

  • Séparation de l'église et de l'état — Demande de traduction Separation of church and state → …   Wikipédia en Français

  • Séparation de l’Église et de l’État — Séparation de l Église et de l État Demande de traduction Separation of church and state → …   Wikipédia en Français

  • Privilege (informatique) — Privilège (informatique) Pour les articles homonymes, voir privilège. Dans le domaine de l informatique, les privilèges permettent à un administrateur d effectuer des actions que les simples utilisateurs ne peuvent faire. Voir aussi séparation… …   Wikipédia en Français

  • Séparation des patrimoines — ● Séparation des patrimoines privilège accordé aux créanciers d une succession et aux légataires particuliers d une somme d argent, leur permettant de se faire payer sur les biens successoraux de préférence aux créanciers personnels de l héritier …   Encyclopédie Universelle

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”