 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Privilege separation" – news ·newspapers ·books ·scholar ·JSTOR(September 2025) (Learn how and when to remove this message) |
Incomputer programming andcomputer security,privilege separation (privsep) is one software-based technique for implementing theprinciple of least privilege.[1][2] With privilege separation, aprogram is divided into parts which are limited to the specificprivileges they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security vulnerability.
A common method to implement privilege separation is to have a computer programfork into twoprocesses. The main program dropsprivileges, and the smaller program keeps privileges in order to perform a certain task. The two halves then communicate via asocket pair. Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.
Privilege separation is traditionally accomplished by distinguishing arealuser ID/group ID from theeffective user ID/group ID, using thesetuid(2)/setgid(2) and relatedsystem calls, which were specified byPOSIX. If these are incorrectly positioned, gaps can allow widespread network penetration.
Manynetwork servicedaemons have to do a specific privileged operation such as open araw socket or anInternet socket in thewell known ports range. Administrativeutilities can require particular privileges atrun-time as well. Such software tends to separate privileges by revoking them completely after the critical section is done, and change the user it runs under to some unprivileged account after so doing. This action is known asdropping root underUnix-likeoperating systems. The unprivileged part is usually run under the "nobody" user or an equivalent separate user account.
Privilege separation can also be done by splitting functionality of a single program into multiple smaller programs, and then assigning the extended privileges to particular parts usingfile system permissions. That way the different programs have to communicate with each other through the operating system, so the scope of the potential vulnerabilities is limited (since acrash in the less privileged part cannot beexploited to gain privileges, merely to cause adenial-of-service attack).
Another email server software designed with privilege separation and security in mind isDovecot.[3]
Separation of privileges is one of the majorOpenBSD security features.[4][5]
OpenSSH uses privilege separation to ensurepseudo terminal (pty) creation happens in a secure part of the process, away from per connection processes with network access.[6]
The implementation ofPostfix was focused on implementing comprehensive privilege separation.[7][8]
Solaris implements a separate set of functions forprivilege bracketing.[9]