| Wiki Markup |
|---|
The principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job \[[Saltzer 74|AA. C References#Saltzer 74], [Saltzer 75|AA. C References#Saltzer 75]\]. The Build Security In website \[[DHS 06|AA. C References#DHS 06]\] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation, in case a vulnerability is discovered in the code. |
...
Privileged operations are often required in a program, though the program might not need to retain the special privileges. For instance, a network program may require superuser privileges to capture raw network packets but will may not ideally use require the same set of privileges for carrying out other tasks such as packet analysis. Dropping or elevating privileges alternately according to program requirements is a good design strategy. Moreover, assigning only the required privileges limits the window of exposure for any privilege escalation exploit to succeed.
...
| Code Block | ||
|---|---|---|
| ||
int establish(void) {
/* This will store the listening socket's address */
struct sockaddr_in sa;
/* This will hold the listening socket */
int s;
/* Fill up the structure with address and port number */
sa.sin_port = htons(portnum);
/* Other system calls like socket() */
if (bind(s, (struct sockaddr *)&sa,
sizeof(struct sockaddr_in)) < 0) {
/* Perform cleanup */
}
/* Return */
}
int main(void) {
int s = establish();
/* Block with accept() until a client connects */
switch (fork()) {
case -1 : /* Error, clean up and quit */
case 0 : /* This is the child, handle the client */
default : /* This is the parent, continue blocking */
}
}
|
A If a vulnerability (if is discovered ) in the main body of the program will allow that allows an attacker to execute arbitrary code. This , this malicious code will run with elevated privileges.
...