The Principle of Least Privilege - Information Security Theory
Privilege: The Principle
In Information Security theory a process, or more abstractly the user invoking that process, has access to some subset of all the information and the functions available in a computing system. This is considered the privilege level. This is an abstract concept, not something defined such as “privilege levels 1-10”. For example, a user may need to read files from directory A and write a log to directory B, but not change or delete files in directory A or any other directory. Another user that can read and write to these files & directories and other directories has a higher level of privilege.
For example, on Unix based systems the root user (user id 0) has full access to everything and therefore full privilege. On Windows NT based systems, the kernel has full privilege. Users that can’t install programs, load printer drivers and so forth have far smaller privilege set.
The principle of least privilege states that users and processes should only have access to the least amount of information and functions required to do their job. Why this is preferable will become clear.
Why the Least Privilege?
Multi-user operating systems with diverse and disparate users, availability to large networks such as enterprises, government, and universities, along with exposure to the Internet, drove OS security design forward. Users needed to share some resources but be restricted from others. Complex, versatile systems were rife with opportunities for bugs, errors, and crashes. A malicious user, virus, worm or trojan might usurp computer time, resources, or private information from others if not prevented from doing so. What could be done to prevent this (as much as possible)? If users and applications can’t do more than the minimum they need, then it should not be possible for them to do these undesirable things.
The original assertion was made in the paper The Protection of Information in Computer Systems by Saltzer and Schroder in 1974. As you can see, the concept has been around a long time.
You may be thinking “Clemmer, all this is great, but how do I use it in practice?” Well, in practice it may not always be clear what privilege level is required. Users often believe they need additional rights & privileges to do a job, when this is not the case. We’ll take a look at how things can go wrong in the next article in the series.
This post is part of the series: The Principle of Least Privilege
This article series explains the Information Security and Computer Science concept of the principle of least privilege. We examine what privileges are, why they are an important concept in multi-user systems, and why this principle is a sound security concept. See examples and means of prevention.