In this lesson, we will start one of the very important security design principles, the principle of least privilege. Many vulnerabilities of existing system has been found to violate the basic security principle. In those cases, the user and process are granted with access privilege to access a system. When the hackers steal the credential of the users or break in into the processes, they assume the privilege and cause additional harm. Page nine of Saltzer and Schroeder's 1975 seminal paper on basic principle of information protection states that every program and every users of the system should operate using the least set of privileges necessary to complete the job. It limits the damage from error, accidents or even break-in. Unintentional, unwanted or improper use of privilege are less likely to occur. It also reduces the number of subjects need to be audited when a problem occurs. The military security rule of need-to-know is an example of this principle. Here, we examine how the principle of least privilege is applied to current Unix security policies and implementations. Least privilege can mean no privilege at all. If a person has no need to access a Unix system, we shouldn't create account for him. Another example is from the policy of current Unix system. By default, when a user's account is created, the system will not allow others to access the home directory of the new users. And here we used useradd p3i to create a new user account on the machine called viva, running new Fedora code 25 operating system. We then use ls -al /home/p3i command to list its home directory content. We observe that its home directory was created with access rights, where only the owner can access it. The first 11 character of the directory entry indicate the access right, d means this is a directory. The next three letter groups is the access right of the owner of the directory or file. It show rwx parent, which means the owner, in this case p3i, can read, write, and execute this directory. When we say to execute the directory means we can go inside or open the directory for further access. The next three letter group is the access right of the group p3i, the same name of the users. Here they are all dashes, meaning that the group cannot have read, write, and execute write of this directory. The last three letter groups specify the access right of the other user in the system. Here again, they will not have the read, write, execute access right to p3i home directory. With no execute right, the other user cannot browse p3i's home directory. It is safer this way. The last letter in the access right string means there are no additional expended right associated with this directory. Sometime we can associated access control list to the entry, then it will be indicated with a plus sign. Here we show how to share read access of a document called nsa.docx with other in this Unix system. We created the file, but found it has the right privilege for the group. We remove it with chmod g-w command, here g mean group. Minus mean we move the command change in access mode, we will remove the write access privilege from the p3i group. We then use a chmod go+rx command to allow others to access the p3i home directory. With r-- access right for any user in the system on the nsa.docx. Any user can then read the document, but without the write privilege. The other famous example is append only access one. For example, the mail program are only allowed to append incoming emails to a person's inbox. It is not even allowed to read the existing mail there. It cannot peak into what other's have sent, even when the mail program was broken into. The mail program was notorious in the past to have many security hole. The append-only privilege address many of previous vulnerabilities. Here we show a file can be opened with a appended access right. Similarly, we would like to restrict server process, or even admin, to only append record to the end of a log file, and thus allow auditing. It preserves the evidence which violated the access policy. Here we show the new general log file created by system d general demon. In a directory /var/log/journal in a new Fedora code operating system. Here the plus sign at the end of the access string indicates that expanded access permission is associated with this file. Not long ago Apache web server was run with root account. Can you imagine that? When its vulnerability was exploited, the whole system can be shutdown and the file system can be wiped out due to the root privilege. Recently, it is no longer configured to run as a root. It is run as nobody account or Apache account. When it is exploited, it can only cause limited damages and access fewer files. In summary, we showed how this principle of least privileges can be applied to the protection of the system and the user data. Do not create account for requests that do not have legitimate purpose. Protect the local user directory from insider attack of other users. Create read-only share access to documents, not allow write access by default. Configure mail program to only appending income mails to the mailbox, not even allow to read previous email. Server processes are only allowed to append the records to the log and not overwrite the existing records. Configure the web server to run on lowest privileged account, so that we avoid causing unnecessary damage when it is exploited.
