News
Ulf Mattsson, Protegrity Corporation: Limit attackers from damaging a file system
November 2008 by Ulf Mattsson, CTO, Protegrity Corporation
Only the minimum necessary rights should be assigned to a user that requests access to a file and should be in effect
for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of
the necessary rights of an action can allow that user to obtain or change information in unwanted ways.
Therefore, careful
delegation of access rights can limit attackers from damaging a system. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls.
If a user does not need an access right, the user should not have that right. Further, the function of the user (as opposed to its identity) should control the assignment of rights. If a specific action requires that a user’s access rights be augmented, those extra rights should be relinquished immediately upon completion of the action. This is the analogue of the "need to know" rule: if the user does not need access to an object to perform its task, it should not have the right to access that object. More precisely, if a user needs to append to an object, but not to alter the information already contained in the object, it should be given append rights and not write rights. In practice, most systems do not have the needed granularity of privileges and permissions to apply this principle precisely. The designers of security mechanisms then apply this principle as best they can. In such systems, the consequences of security problems are often more severe than the consequences on systems which adhere to this principle. The UNIX operating system does not apply access controls to the user root. That user can terminate any process and read, write, or delete any file. Thus, users who create back-ups can also delete files. The administrator account on Windows has the same powers.
