Richard Bucker

Principle of Least Privilege

Posted at — Oct 6, 2021

I was reading a doc Security in Chrome OS when I read the statement:

Chrome OS enforces a clear separation between the root or supervisor user in the underlying Linux system, and the operating system kernel. This is another case of enforcing the principle of least privilege.

As I consider all the crazy things sysadmins do to deploy applications from chroot to containers and such it always seems to come down to doing things that seem unnatural in a technical way. I know I spend too much time as root and I also know that making a user an “administrator” merely hides the “role” from the security intent.

In an upcoming project deployment I will create a user per application with an application home directory. This will effectively sandbox each application in user space. From that point I can decide whether to chroot or not (trust in the code supply chain). One challenge will be launching the application… depending on the distribution it’ll be daemontools-like or systemd. While this is not ideal from a “role” security model but it does set the framework and does not artificaially wrap the app in root… with some smarts the service engine could be configured in a way similar to itself.