Protection Domains

"A program that needs to read a file should not have the power to format the disk."

This seemingly obvious statement encapsulates one of the most important principles in security engineering: the Principle of Least Privilege (PoLP). First formally articulated by Jerome Saltzer and Michael Schroeder in their landmark 1975 paper "The Protection of Information in Computer Systems," this principle states that every program and every user of the system should operate using the least set of privileges necessary to complete the job.

The principle seems intuitive, yet it is violated constantly in practice. Running services as root, granting applications full disk access, giving users administrator privileges "just in case"—these common shortcuts undermine security at its foundation. Understanding least privilege is understanding how to design systems that remain secure even when components fail or are compromised.

The principle of least privilege can be stated formally:

Definition:

Every subject (process, user, system) should be granted only those privileges that are essential for performing its authorized functions, and those privileges should be held only for the minimum duration necessary.

This definition has several important components:

"Only those privileges that are essential":

• Not "convenient" or "might be needed" or "easier to configure"
• The minimum set required for legitimate operation
• Defined by the task, not by the identity of the actor

"Performing its authorized functions":

• Privileges match intended behavior
• Unauthorized actions are impossible, not just forbidden
• Policy is enforced at the mechanism level

"Minimum duration necessary":

• Temporary elevation when needed
• Immediate return to lower privilege
• No standing privileges beyond current task

Mathematical Formulation:

For a subject S performing task T, let:

• R(T) = set of rights required to complete T
• G(S) = set of rights granted to S

Least privilege requires:

G(S) = R(T)    (granted rights exactly equal required rights)

In practice, achieving exact equality is often infeasible, so we aim for:

G(S) ⊇ R(T)    (granted rights ≥ required rights)
minimize |G(S) - R(T)|    (minimize excess privilege)

Corollary: Fail-Safe Defaults

A related principle states that the default answer to access requests should be denial. Absence of a specific permission implies no access. This ensures that:

• New objects are secure by default
• Configuration errors result in denied access (safe) not granted access (unsafe)
• Permissions must be explicitly granted, never assumed

Least privilege provides multiple layers of benefit, affecting security, reliability, and maintainability:

Security Benefits:

Reliability Benefits:

Traditional Unix provides several mechanisms for implementing least privilege, though each has limitations:

User IDs and File Permissions:

The basic Unix permission model:

• Each file has owner (UID), group (GID), and permission bits
• Processes run with a specific UID/GID determining access
• Services run as dedicated users (www-data, postgres, nobody)

# View service user
$ ps aux | grep nginx
www-data  1234  nginx: worker process

# nginx runs as www-data, can only access:
#   - Files owned by www-data
#   - Files with world or group (www-data) permissions
#   - Directories with appropriate traversal permissions

setuid/setgid Bits:

Programs can temporarily acquire elevated privileges:

// Classic pattern: setuid program
int main() {
    FILE *sensitive = fopen("/etc/shadow", "r");  // Needs root
    
    // Immediately drop privileges after opening
    if (setuid(getuid()) < 0) {
        perror("setuid");
        exit(1);
    }
    
    // Process file with normal user privileges
    process_file(sensitive);
    fclose(sensitive);
}

Linux Capabilities:

Linux capabilities split root's monolithic privilege into ~40 distinct capabilities:

# Instead of running as root, grant specific capabilities
$ setcap 'cap_net_bind_service=+ep' /usr/bin/myserver

# myserver can now bind to ports < 1024 without being root

Key capabilities:

Even with reduced capabilities, a process can still make any system call. Seccomp (Secure Computing) allows further restriction by filtering which system calls a process can execute.

Seccomp Modes:

How Seccomp Works:

1. Process installs a BPF (Berkeley Packet Filter) program
2. The BPF program examines each syscall (number, arguments)
3. BPF returns: ALLOW, KILL, ERRNO, TRAP, or LOG
4. Kernel enforces the decision
5. Filters cannot be relaxed after installation

Modern applications achieve least privilege through sandboxing—restricting a process to a limited view of system resources. Several technologies provide sandboxing:

chroot Jails:

The original Unix sandbox, chroot changes the apparent root directory:

# Create a minimal root filesystem
mkdir -p /jail/{bin,lib,etc}
cp /bin/bash /jail/bin/
cp -L /lib/x86_64-linux-gnu/libc.so.6 /jail/lib/

# Run program in jail
chroot /jail /bin/bash
# Program sees /jail as /
# Cannot access /etc/passwd (real one), only /jail/etc/passwd

Limitations of chroot:

• Root can escape (mknod, mount, chroot again)
• Doesn't isolate network, PIDs, users
• Same kernel, same UIDs visible
• Not a security boundary against root

Linux Namespaces:

Namespaces provide comprehensive isolation by giving each process its own view of system resources:

# Unshare namespaces and run command
unshare --mount --pid --fork --user /bin/bash

# Now running in isolated namespace
# PID 1 in this namespace, different mount tree, mapped UID

Container Runtimes (Docker, Podman):

Containers combine namespaces, cgroups, and seccomp for comprehensive isolation:

# Dockerfile implementing least privilege
FROM alpine:latest

# Run as unprivileged user, not root
RUN adduser -D appuser
USER appuser

# Read-only filesystem
VOLUME ["/data"]  # Only /data is writable

# Minimal capabilities
# docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ...

# Run container with extensive restrictions
docker run \
    --user 1000:1000 \           # Non-root user
    --cap-drop=ALL \              # Drop all capabilities
    --read-only \                 # Read-only root filesystem
    --security-opt no-new-privileges \  # Can't gain privs
    --security-opt seccomp=profile.json \ # Syscall filter
    myapp:latest

A powerful design pattern for achieving least privilege is privilege separation: splitting an application into multiple processes with different privilege levels, communicating over a narrow, well-defined interface.

The Pattern:

┌─────────────────────────────────────────────────────┐
│                   Application                        │
│  ┌─────────────────┐   IPC   ┌─────────────────┐    │
│  │  Privileged     │◄───────►│  Unprivileged   │    │
│  │  Component      │         │  Component      │    │
│  │  (small, simple,│         │  (large,complex,│    │
│  │   runs as root) │         │  runs as user)  │    │
│  └─────────────────┘         └─────────────────┘    │
└─────────────────────────────────────────────────────┘

Privileged Component: Opens files, binds ports, authenticates
Unprivileged Component: Parses input, processes data, renders output

OpenSSH Example:

OpenSSH pioneered privilege separation in Unix:

┌──────────────────────────────────────────────────────┐
│                    sshd                               │
│  ┌────────────────┐        ┌─────────────────────┐   │
│  │ sshd (root)    │◄──────►│ sshd (unprivileged) │   │
│  │                │  pipe   │                     │   │
│  │ - Auth users   │        │ - Parse SSH proto   │   │
│  │ - Pty alloc    │        │ - Crypto operations │   │
│  │ - User switch  │        │ - Key exchange      │   │
│  └────────────────┘        └─────────────────────┘   │
│         ▲                            │               │
│         │                            ▼               │
│         └───────►┌─────────────────────────────────┐ │
│                  │ User session (user's UID)       │ │
│                  │ - Run user's shell              │ │
│                  │ - Full network access revoked   │ │
│                  └─────────────────────────────────┘ │
└──────────────────────────────────────────────────────┘

Chrome Browser Architecture:

Chrome uses extensive privilege separation:

Renderers (where untrusted web content runs) are heavily sandboxed: no file access, no network (requests go through browser), seccomp limits syscalls, separate PID namespace.

Implementing least privilege is not without challenges. Understanding these difficulties helps navigate real-world constraints:

Challenge 1: Determining Minimum Privileges

How do you know what privileges a program actually needs?

• Static analysis: Examine code for resource access patterns
• Dynamic analysis: Run program, trace resource access, infer requirements
• Documentation: Read specs, but real behavior may differ
• Trial and error: Remove privileges until it breaks

Problem: Programs often need different privileges at different times or for different inputs. The "minimum" set might vary by use case.

Challenge 2: Granularity Mismatch

Somtimes the available privilege granularity doesn't match needs:

Need: Write to /var/log/myapp.log
Available: CAP_DAC_OVERRIDE (write to ANY file)

Need: Bind to port 443 only
Available: CAP_NET_BIND_SERVICE (bind to ANY port < 1024)

Solution: Use additional mechanisms (seccomp, AppArmor, SELinux) to narrow broad capabilities.

Challenge 3: Usability vs. Security

Strict least privilege can make systems hard to use:

• Users forced to enter passwords constantly
• Administrators can't debug easily
• Developers resist security that slows them down
• Error messages may be unhelpful ("permission denied" without context)

Challenge 4: Legacy Compatibility

Older software often assumes root privileges:

// Legacy code that assumes root
void legacy_function() {
    FILE *f = fopen("/etc/secret", "r");
    if (!f) {
        // Programmer assumed they'd always be root
        abort();  // No graceful fallback
    }
}

Challenge 5: Ambient Authority

In many systems, authority is ambient—processes inherit "who they are" and that determines access. This makes least privilege harder because:

• Programs get privileges from identity, not need
• Temporary privilege is awkward (setuid, sudo)
• Can't delegate subset of privileges without delegating identity

Modern operating systems and platforms have increasingly embraced least privilege, often making it the default:

Mobile Platforms (iOS, Android):

Mobile OSes lead in least privilege enforcement:

┌─────────────────────────────────────────────────────┐
│                 Mobile App Sandbox                   │
│                                                     │
│  ┌───────────────────────────────────────────────┐  │
│  │ App runs in isolated container               │  │
│  │ - Own UID (Android) or sandbox (iOS)         │  │
│  │ - No access to other apps' data              │  │
│  │ - Explicit permission grants for:            │  │
│  │   • Camera, Microphone (prompt)              │  │
│  │   • Location (prompt with options)           │  │
│  │   • Contacts (prompt)                        │  │
│  │   • Files (Scoped Storage/File Picker)       │  │
│  │ - Permissions revocable at any time          │  │
│  └───────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────┘

Apps start with almost no privileges. Each capability must be explicitly requested and granted.

macOS App Sandboxing:

Mac App Store requires sandboxing with entitlements:

<!-- App.entitlements -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    
    <!-- Only network access requested -->
    <key>com.apple.security.network.client</key>
    <true/>
    
    <!-- User-selected files only -->
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    
    <!-- No access to: camera, microphone, contacts, location, 
         arbitrary files, etc. -->
</dict>
</plist>

Cloud IAM (AWS, GCP, Azure):

Cloud platforms implement fine-grained least privilege:

// AWS IAM Policy - Least privilege for Lambda function
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/input/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/output/*"
    }
  ]
}
// Function can only read from input/ and write to output/
// Not admin, not full S3 access - minimum needed rights

We've explored the principle of least privilege from theory to practice. Let's consolidate the key insights:

What's Next:

We've covered what protection domains are, how to switch between them, the hierarchical ring model, and the principle of least privilege. The final page examines Domain Implementation—how real operating systems implement these concepts through access control lists, capabilities, and mandatory access controls like SELinux.