Privilege separation
Encyclopedia
In computer programming
and computer security
, privilege separation is a technique in which a program
is divided into parts which are limited to the specific privileges
they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security attack.
A common method to implement privilege separation is to have a computer program fork
into two process
es. The main program drops privileges
, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket
pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.
Privilege separation is traditionally accomplished by distinguishing a real user ID/group ID from the effective user ID/group ID, using the setuid
(2)/setgid(2) and related system call
s, which were specified by POSIX
. If these are incorrectly positioned, gaps can allow widespread network penetration.
Many network
service daemons
have to do a specific privileged operation such as open a raw socket
or an Internet socket
in the well known ports range. Administrative utilities can require particular privileges at run-time as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as dropping root under Unix-like
operating system
s. The unprivileged part is usually run under the "nobody
" user or an equivalent separate user account.
Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using file system permissions
. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a crash
in the less privileged part cannot be exploited
to gain privileges, merely to cause a denial-of-service attack
).
Separation of privileges is one of the major OpenBSD security features
. The implementation of Postfix
was focused on implementing comprehensive privilege separation. Solaris implements a separate set of functions for privilege bracketing.
Computer programming
Computer programming is the process of designing, writing, testing, debugging, and maintaining the source code of computer programs. This source code is written in one or more programming languages. The purpose of programming is to create a program that performs specific operations or exhibits a...
and computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, privilege separation is a technique in which a program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
is divided into parts which are limited to the specific privileges
Privilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security attack.
A common method to implement privilege separation is to have a computer program fork
Fork (operating system)
In computing, when a process forks, it creates a copy of itself. More generally, a fork in a multithreading environment means that a thread of execution is duplicated, creating a child thread from the parent thread....
into two process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
es. The main program drops privileges
Privilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket
Unix domain socket
A Unix domain socket or IPC socket is a data communications endpoint for exchanging data between processes executing within the same host operating system. While similar in functionality to...
pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.
Privilege separation is traditionally accomplished by distinguishing a real user ID/group ID from the effective user ID/group ID, using the setuid
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
(2)/setgid(2) and related system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s, which were specified by POSIX
POSIX
POSIX , an acronym for "Portable Operating System Interface", is a family of standards specified by the IEEE for maintaining compatibility between operating systems...
. If these are incorrectly positioned, gaps can allow widespread network penetration.
Many network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
service daemons
Daemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
have to do a specific privileged operation such as open a raw socket
Raw socket
In computer networking, a raw socket is a socket that allows direct sending and receiving of network packets by applications, bypassing all encapsulation in the networking software of the operating system. Most socket application programming interfaces , especially those based on Berkeley sockets,...
or an Internet socket
Internet socket
In computer networking, an Internet socket or network socket is an endpoint of a bidirectional inter-process communication flow across an Internet Protocol-based computer network, such as the Internet....
in the well known ports range. Administrative utilities can require particular privileges at run-time as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known as dropping root under Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s. The unprivileged part is usually run under the "nobody
Nobody (username)
In many Unix variants, "nobody" is the conventional name of a user account which owns no files, is in no privileged groups, and has no abilities except those which every other user has....
" user or an equivalent separate user account.
Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts using file system permissions
File system permissions
Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem....
. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since a crash
Crash (computing)
A crash in computing is a condition where a computer or a program, either an application or part of the operating system, ceases to function properly, often exiting after encountering errors. Often the offending program may appear to freeze or hang until a crash reporting service documents...
in the less privileged part cannot be exploited
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
to gain privileges, merely to cause a denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
).
Separation of privileges is one of the major OpenBSD security features
OpenBSD security features
The OpenBSD operating system is noted for its security focus and for the development of a number of security features.- API and build changes :...
. The implementation of Postfix
Postfix (software)
In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
was focused on implementing comprehensive privilege separation. Solaris implements a separate set of functions for privilege bracketing.
See also
- Principle of least privilegePrinciple of least privilegeIn information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
- Capability-based securityCapability-based securityCapability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
- Confused deputy problemConfused deputy problemA confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
- Privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
- Privilege revocationPrivilege revocationPrivilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
- Defensive programmingDefensive programmingDefensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect...
External links
- Theo de RaadtTheo de RaadtTheo de Raadt , born May 19, 1968 in Pretoria, South Africa, is a software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects, and was a founding member of the NetBSD project.- Childhood :...
: Exploit Mitigation Techniques in OpenBSD slides - Niels ProvosNiels ProvosNiels Provos is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan....
, Markus Friedl, Peter Honeyman: Preventing Privilege Escalation paper - Niels ProvosNiels ProvosNiels Provos is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan....
: Privilege Separated OpenSSH project - Trusted Solaris Developer's Guide: Bracketing Effective Privileges