Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Privilege separation
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
In [[computer programming]] and [[computer security]], '''privilege separation''' ('''privsep''') is one software-based technique for implementing the [[principle of least privilege]].<ref>{{Cite web |last=Provos |first=Niels |last2=Friedl |first2=Markus |last3=Honeyman |first3=Peter |date=August 4, 2003 |title=Preventing Privilege Escalation |url=http://niels.xtdnet.nl/papers/privsep.pdf |url-status=live |archive-url=https://web.archive.org/web/20230325173449/http://niels.xtdnet.nl/papers/privsep.pdf |archive-date=March 25, 2023}}</ref><ref>{{Cite web |date=May 17, 2024 |title=Privilege separation |url=https://www.qnx.com/developers/docs/8.0/com.qnx.doc.neutrino.prog/topic/process_Privilege_separation.html |url-status=live |archive-url=http://web.archive.org/web/20240414015211/https://www.qnx.com/developers/docs/8.0/com.qnx.doc.neutrino.prog/topic/process_Privilege_separation.html |archive-date=April 14, 2024 |website=QNX Software Development Platform}}</ref> With privilege separation, a [[computer program|program]] is divided into parts which are limited to the specific [[privilege (computing)|privileges]] they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security vulnerability. == Implementation == A common method to implement privilege separation is to have a computer program [[fork (operating system)|fork]] into two [[process (computing)|process]]es. The main program drops [[privilege (computing)|privileges]], and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a [[Unix domain socket|socket]] pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations. Privilege separation is traditionally accomplished by distinguishing a ''real'' [[user ID]]/[[group ID]] from the ''effective'' user ID/group ID, using the [[setuid]](2)/[[setgid]](2) and related [[system call]]s, which were specified by [[POSIX]]. If these are incorrectly positioned, gaps can allow widespread network penetration. Many [[computer network|network]] service [[daemon (computer software)|daemons]] have to do a specific privileged operation such as open a [[raw socket]] or an [[Internet socket]] in the [[TCP and UDP port numbers|well known ports]] range. Administrative [[software utility|utilities]] can require particular privileges at [[Run time (program lifecycle phase)|run-time]] as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as ''dropping root'' under [[Unix-like]] [[operating system]]s. The unprivileged part is usually run under the "[[nobody (username)|nobody]]" user or an equivalent separate user account. Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using [[file system permissions]]. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a [[crash (computing)|crash]] in the less privileged part cannot be [[exploit (computer security)|exploited]] to gain privileges, merely to cause a [[denial-of-service attack]]). == Examples == === Dovecot === Another email server software designed with privilege separation and security in mind is [[Dovecot (software)|Dovecot]].<ref>{{Cite web |date=August 14, 2024 |title=System users used by Dovecot |url=https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/ |url-status=live |archive-url=http://web.archive.org/web/20240630132501/https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/ |archive-date=June 30, 2024 |website=doc.dovecot.org}}</ref> === OpenBSD === Separation of privileges is one of the major [[OpenBSD security features]].<ref>{{Cite web |last=Obser |first=Florian |date=February 19, 2023 |title=Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD |url=https://sha256.net/privsep.html |url-status=live |archive-url=http://web.archive.org/web/20240606081613/https://sha256.net/privsep.html |archive-date=June 6, 2024 |website=sha256.net}}</ref><ref>{{Cite web |last=de Raadt |first=Theo |date=September 24, 2006 |title=Exploit Mitigation Techniques |url=https://www.openbsd.org/papers/ven05-deraadt/ |url-status=live |archive-url=http://web.archive.org/web/20240515040432/https://www.openbsd.org/papers/ven05-deraadt/ |archive-date=May 15, 2024 |website=[[OpenBSD]]}}</ref> === OpenSSH === OpenSSH uses privilege separation to ensure ''pseudo terminal'' ('''''pty''''') creation happens in a secure part of the process, away from per connection processes with network access.<ref>{{Cite web |last=Provos |first=Niels |date=August 9, 2003 |title=Privilege Separated OpenSSH |url=http://www.citi.umich.edu/u/provos/ssh/privsep.html |url-status=live |archive-url=http://web.archive.org/web/20240806014140/http://www.citi.umich.edu/u/provos/ssh/privsep.html |archive-date=August 6, 2024 |website=Center for Information Technology Integration}}</ref> === Postfix === The implementation of [[Postfix (software)|Postfix]] was focused on implementing comprehensive privilege separation.<ref>{{Cite web |date=2024 |title=Postfix Architecture |url=http://www.postfix.org/OVERVIEW.html |url-status=live |archive-url=http://web.archive.org/web/20240803142920/http://www.postfix.org/OVERVIEW.html |archive-date=August 3, 2024}}</ref><ref>{{Cite web |date=2022 |title=Privilege Separation |url=https://61600.csail.mit.edu/2022/lec/l20-privsep.txt |url-status=live |archive-url=http://web.archive.org/web/20240723122815/https://61600.csail.mit.edu/2022/lec/l20-privsep.txt |archive-date=July 23, 2024 |website=csail.mit.edu}}</ref> === Solaris === [[Solaris (operating system)|Solaris]] implements a separate set of functions for [[privilege bracketing]].<ref>{{Cite web |date=2010 |title=Bracketing Effective Privileges |url=https://docs.oracle.com/cd/E19109-01/tsolaris8/816-1042/6m7g4ma52/index.html |url-status=live |archive-url=http://web.archive.org/web/20240814171612/https://docs.oracle.com/cd/E19109-01/tsolaris8/816-1042/6m7g4ma52/index.html |archive-date=August 14, 2024 |website=Trusted Solaris Developer's Guide}}</ref> ==See also== * [[Capability-based security]] * [[Confused deputy problem]] * [[Privilege escalation]] * [[Privilege revocation (computing)]] * [[Defensive programming]] * [[Sandbox (computer security)]] ==References== {{Reflist}} {{DEFAULTSORT:Privilege Separation}} [[Category:Computer security procedures]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite web
(
edit
)
Template:Reflist
(
edit
)