Privilege revocation

From Wikipedia, the free encyclopedia

Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away.

In computing security privilege revocation is a measure taken by a program to protect the system against misuse of itself.

Network service daemons, or administrative utilities with setuid bits set, that have to do some privileged operation only at program loadtime (such as open a raw socket or an Internet socket in the Well Known Ports range) are less of a security risk should they change users to some unprivileged account after so doing. An action otherwise known as dropping root after startup, under Unix-like operating systems.

Apart from this sandboxing successful attacks, to the unprivileged user account changed to; it also helps in reliability of the computing services provided, as the chances of restarting the process are better and other services on the same machine aren't effected (or at least probably not as much as in the alternative case: i.e. a privileged process gone haywire instead).

Contents 1 Other meaning 2 References 3 See also 4 External links

[edit] Other meaning

In law the general term is often used when discussing some paper, such as a drivers licence, being voided after a (negative) condition is met by the holder.

[edit] References

• State of Rhode Island General Assembly AN ACT RELATING TO SUSPENSION OF SCHOOL BUS DRIVER'S CERTIFICATES CHAPTER 36, 97-H 5836 am, Approved July 1, 1997
• Protection Profile for Privilege-Directed Content Authoriszor Ltd. Ref: Auth_CC/PP/DES/0 2000
• Timothy Fraser: LOMAC: Low Water-Mark Integrity Protection for COTS Environments
• Linux Standard Base Core Specification 3.1 Chapter 21. Users & Groups 21.2. User & Group Names

[edit] See also

• Principle of least privilege
• Privilege bracketing
• Privilege escalation
• Defensive programming

[edit] External links

• Theo de Raadt: Exploit Mitigation Techniques (in OpenBSD, of course)