Privilege separation is the design pattern of breaking a system into components such that each component can be granted a smaller set of permissions than a combined system would need. Thus restricting the capabilities of an attacker who compromises that component.
Questions tagged [privilege-separation]
15 questions
8
votes
3 answers
Difference between root login and passwordless sudo
Cloud images of some popular operating systems do not let the user to log in as root, yet they use a very standard user name (for example ec2-user, ubuntu) and allow these users to use passwordless sudo.
What is the reason for this choice? Is it…
Julian
- 83
- 3
5
votes
2 answers
Isn't separating privileges less useful on a PC, as all my critical data is in my normal user account?
Separating privileges, i.e using a non-admin account and escalating only when needed, seems to be something everyone agrees on. I can roughly understand why it's important on every system : prevent an attacker from modifying the system and taking…
Hey
- 1,905
- 1
- 16
- 23
5
votes
4 answers
Node.js REST server running as root
I am building a REST API server using Node.js and Express, that will allow you to turn any Linux server into a NAS. I have several fileExec which basically spawns a shell and executes a BASH command (Like pvs, pvcreate, lvs, vgs, etc). Most of these…
InitEnabler
- 53
- 1
- 4
4
votes
2 answers
How could malware disable third party security software?
I'm asking this question with the assumption that anything the user can do, so can malware.
I'm using a third party firewall on my system to control which programs are able to access the internet. However I notice that I - as a limited user - am…
Synthetic Ascension
- 141
- 1
- 5
4
votes
1 answer
Drop privileges after startup or start as unprivileged user?
Given a service that needs access to some secrets from a config file to start, I can imagine three approaches:
1) Keep the file readable only by root. Start the process as root, read the config and drop privileges.
2) Keep the file readable only by…
thusoy
- 143
- 3
3
votes
2 answers
Why are Protection Rings called rings?
Protection rings are different privilege levels granted to software, with the kernel being the most privileged, applications the least privileged, and drivers somewhere in between.
My question is why are they called rings? (as opposed to privilege…
LemonPi
- 133
- 2
3
votes
1 answer
How can you securely use a cloud-based CI/CD server?
I'm looking at using a cloud-based continuous deployment server to push production code for my application.
Because it's a cloud based server, this requires me to give them a private SSH key that has access to push the appropriate files to my…
Hetul Patel
- 133
- 4
3
votes
2 answers
Separation of Duties using RBAC
I'm reading an article about Role based Access Control, in section 6 (Separation of Duties) I didn't understand this part :
Separation of duty can be either static or dynamic. Compliance with static separation
requirements can be determined…
Bilal
- 133
- 1
- 6
2
votes
1 answer
Windows service with elevated privileges - Security concern
The company I work at uses a program on their Windows workstations that runs as the logged-in user but some tasks require elevated privileges. The user must be able to run these without having admin permissions himself.
The current approach is that…
etw0
- 45
- 3
1
vote
1 answer
Security difference between changing permissions versus using sudo to execute
If there is a program written by a normal user that requires root privileges (eg. a program that interacts with root processes) what is the difference between running this program using sudo vs. changing the program permissions with chown root and…
durestudios
- 11
- 1
1
vote
3 answers
Is there really any benefit in having a separate local admin account
I have been thinking of implementing a new practice where local admin privileges are disabled entirely from all endpoints. For users who need to elevate privileges, they will have a separate admin account dedicated and restricted only to the local…
TheGreyShadow
- 43
- 1
- 7
1
vote
0 answers
Authorise access to hierarchical data
Consider a scenario in which you offer service access based on a hierarchy of authority. i.e., a HEAD can register his subordinates. The authenticated HEAD has the previledge to read and update data from all of his subordinates. Is there an…
Fahim Farook
- 121
- 4
1
vote
2 answers
Best practice on Windows domains: To have a separate admin account or not?
On Linux, we enforce least privilege through sudo. This gives the best of both worlds: Passwords and accounts are for a person, as they should be, not a role. But we lower risk and exposure by only using privileges when we need them.
Windows…
SRobertJames
- 245
- 1
- 7
1
vote
1 answer
Is it possible to separate DRA decryption abilities?
In the name of separation of duties, I was wondering if there is a simple (or even not-so-simple) way of dividing the ability to decrypt an EFS encrypted file such that it would require two DRAs to decrypt the file, while still enabling the owner of…
Y e z
- 133
- 6
1
vote
2 answers
How does separating concerns into separate processes (without enforcement) help security?
In this talk on privilege separation, Theo de Raadt explains that OpenBSD's ntpd has a master process which calls settimeofday(), a DNS process responsible for querying DNS servers, and an NTP protocol process which is responsible for speaking UDP…
strugee
- 688
- 1
- 6
- 16