Privilege (Computing)
From Wikipedia, the free encyclopedia
In computing, privilege is defined as the delegation of authority over a system. Users who have been delegated absolute control are called privileged. Users who lack most privileges are defined as unprivileged, regular, or normal users.
[edit] Unix
On Unix-like systems, the Superuser (commonly known as 'root') is user that owns all the privileges. These systems do not follow the principle of least privilege; users are granted only enough permissions to accomplish their most common tasks.
Unprivileged users usually cannot:
- Adjust kernel options.
- Modify system files, or files of other users.
- Change the owner of any files.
- Reboot or halt the system, although it is becoming common on GNU/Linux to allow regular users to do this.
- Change the runlevel (on systems with System V-style initialization).
- Adjust ulimits or disk quotas.
- Start or stop daemons.
- Signal processes of other users.
- Create device nodes.
- Create or remove users or groups.
- Mount or unmount volumes, although it is becoming common to allow regular users to mount and unmount removable media, such as Compact discs.
- Execute the contents of any sbin/ directory, although it is becoming common to simply restrict the behavior of such programs when executed by regular users.
[edit] Windows NT
On Windows NT-based systems, privileges are delegated in varying degrees. These delegations can be defined using the Local Security Policy Manager (SECPOL.MSC). The following is an abbreviated list of the default assignments:
- 'Administrator' is the closest equivalent to the Superuser on Unix-like systems. However, this user cannot override all of the operating system's protections, as the Superuser can.
- Members of the 'Administrators' group have privileges almost equal to 'Administrator'.
- Members of the 'Power Users' group have the ability to install programs and backup the system.
- Members of the 'Users' group are the equivalent to unprivileged users on Unix-like systems.
Privilege is effectively defeated on Windows NT-based systems that do not use the NTFS file system, as they cannot administer permissions on files or directories.
