| Wiki Markup |
|---|
UserThe triggeredprinciple actions must always execute with the of least setprivilege ofstates privileges that areevery necessaryprogram forand theirevery successfuluser completion.of Thisthe issystem alsoshould theoperate underlyingusing principlethe behindleast assigningset minimalisticof privileges sonecessary to thatcomplete the damagejob caused[Saltzer due74, toSaltzer software75]. defectsThe canbuild besecurity constrained.in Seewebsite \[[DHS 0506|AA. C References#DHS 05]\] [Leastprovides Privilege| https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html] for additional definitionsadditional definitions. |
Programs should execute with the least set of privileges that are necessary for their successful completion. This is also the underlying principle behind assigning minimalistic privileges so that the damage caused due to software defects can be constrained.
Sometimes, certain privileged operations are required in a program, although subsequently, the program might not need to retain the special privileges. For instance, a network program may require superuser privileges to capture raw network packets but will not ideally use the same set of privileges for carrying out other tasks such as packet analysis. Dropping or elevating privileges alternately according to program requirements is a good design strategy. Moreover, assigning only the required privileges limits the window of exposure for any privilege escalation exploit to succeed.
...