What is Privilege Separation?
July 16, 2008 by Antivirus Ware.com - Download Norton Antivirus software instantly!In pc security or programming, the technique involved wherein a program gets divided into separate parts is known as “privilege separation.” Typically, these parts are limited to certain privileges which are required to perform specific tasks. It is also an effective way of warding off computer attacks that could cause potential damage.
Splitting, or “forking” a program into two separate parts is normally the common method employed to enable privilege separation. In order to perform a specific task, the primary program will drop privileges while the smaller of the two programs will keep them. A “socket” or virtual socket pair is then used so the two halves can communicate. As a result, any security attack will be relegated to minimal access with the primary program, even though the pair of programs can still perform specific functions.
Distinguishing between a real user or group ID from an effective user or group ID using system calls specified by POSIX (Portable Operating System Interface), is how privilege separation is usually performed. Splitting the functionality of a single program into multiple programs is another method for accomplishing privilege separation.
When the primary program is split into the smaller entities, the extended privileges get assigned to specific areas with the use of file system permissions. The scope of any potential vulnerabilities is then limited because the two programs are forced to communicate with one another through the separated programs.
