Least privilege principle

In an operating system, some operations are privileged and permission to perform these operations is restricted to authorized users. These privileged operations usually include tasks such as rebooting the system, adding and modifying filesystems, adding and deleting users, and modifying the system date and time.

In traditional UNIX systems, a process or user can be in normal mode or privileged mode (also called superuser or root). A process running as root can execute any command and perform any system operation, while a normal user cannot perform privileged operations. A traditional UNIX system has a very coarse all-or-nothing concept of privilege and faces the security threat of the overprivileged administrator.

The traditional UNIX approach where a single privileged mode grants all access to the system is too coarse to meet the requirements of highly secured systems. A system designed to be secure requires that each process be granted the most restrictive set of privileges needed to perform a task. Privileges provide the advantage that only processes that require certain privileges need to be granted these privileges. This restriction of privileges is known as the principle of least privilege and is useful in limiting damage to the system due to careless or malicious administrators and operators.

For example, changing a password requires certain privileges in order to access files that are not typically accessible by a normal user. If users always had these privileges, they could also perform other actions that are undesirable from a security standpoint. Therefore, the required privileges are granted only to the passwd command and not to all users.

In an RBAC environment, users themselves do not have any inherent privileges. Users are simply allowed to run certain commands which are then granted privileges. If a user was instead directly granted privileges, they could use the privileges at any time and in any manner wanted. Limiting privileges to individual commands allows the context in which the privileges are applied to be constrained. This leads to enhanced security because if a trusted application is exploited by an attacker, the attacker will have a limited set of privileges instead of the whole powers of root with all privileges.

Trusted applications must be carefully inspected before they are granted privileges. In addition, privileges should be granted when and where necessary for the application. Trusted applications are just like any other program, the only difference being that trusted applications are allowed to perform actions that are denied to untrusted applications.