NOTICE: Citizendium is still being set up on its newer server, treat as a beta for now; please see here for more.
Citizendium - a community developing a quality comprehensive compendium of knowledge, online and free. Click here to join and contribute—free
CZ thanks our previous donors. Donate here. Treasurer's Financial Report -- Thanks to our content contributors. --

Principle of Least Privilege

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Talk
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

The concept of the Principle of Least Privilege has existed for millennia. Royal leaders only allowed their assigned guards to carry weapons in their presence. Religious groups restricted the privileges of sacraments, such as marriage, to clerics, but the privilege of ordination was restricted to ecclesiastical authorities of a higher level.

Hierarchy alone does not necessarily grant privileges, if the concept of need to know, a military axiom, is applied. A security clearance does not automatically confer the privilege of access to all information of that level. For example, many officers may lead troops in an invasion, but only those that will plan the operation need to know the exact place and date, well in advance. Those who will train troops for the operation need to know the general environments and tactics to be expected. Individual soldiers may not need to know the full description used in planning exercises; they will learn the context as they go through realistic training but not be able to give a detailed explanation that would be useful to intelligence analysts.

With respect to computing, it was probably first articulated by Saltzer in 1974. [1] In the CERT coding standards, it is stated as

The principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job[2]

Simply because there are more systems running predefined programs rather than new programs being created, the principle is most often violated in systems administration. To use Citizendium examples,

  1. A general reader needs only the privilege to read articles
  2. An author needs the additional privilege to edit articles
  3. A constable needs the privilege to delete or lock articles
  4. A sysop needs the privilege to assign user privileges

Many operating systems ship with default passwords, which permits the person doing the initial installation to set any parameter. Larger organizations restrict the installation and backup roles to authorized individuals who need to carry out these functions. They may need to have a manager or remote security authorization to carry out some function.

While an individual may need privilege A, that does not necessarily mean that the person can delegate the privilege; delegation is often considered a privilege of its own.

References

  1. Saltzer, J. H. (July 1974), "Protection and the Control of Information Sharing in Multics", Communications of the ACM 17 (7): 388-402.
  2. "POS02-C. Follow the principle of least privilege", CERT Secure Coding Standards