Privilege (computing)


Privilege (computing)

In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write permission to a socket for communicating over the Internet.

Users who have been delegated absolute control are called privileged. Users who lack most privileges are defined as unprivileged, regular, or normal users.

Contents

Theory

Privileges can either be automatic, granted, or applied for.

An automatic privilege exists when there is no requirement to have permission to perform an action. For example, on systems where people are required to log into a system to use it, logging out will not require a privilege. Systems that do not implement file protection - such as MS-DOS - essentially give unlimited privilege to perform any action on a file.

A granted privilege exists as a result of presenting some credential to the privilege granting authority. This is usually accomplished by logging on to a system with a username and password, and if the username and password supplied are correct, the user is granted additional privileges.

A privilege is applied for by either an executed program issuing a request for advanced privileges, or by running some program to apply for the additional privileges. An example of a user applying for additional privileges is provided by the sudo command to run a command as the root user, or by the Kerberos authentication system.

Modern processor architectures have CPU modes that allows the OS to run at different privilege levels. Some processors have two levels (such as user and supervisor); i386+ processors have four levels (#0 with the most, #3 with the least privileges). Tasks are tagged with a privilege level. Resources (segments, pages, ports, etc.) and the privileged instructions are tagged with a demanded privilege level. When a task tries to use a resource, or execute a privileged instruction, the processor determines whether it has the permission (if not, a "protection fault" interrupt is generated). This prevents user tasks from damaging the OS or each other.

In computer programming, exceptions related to privileged instruction violations may be caused when an array has been accessed out of bounds or an invalid pointer has been dereferenced when the invalid memory location referenced is a privileged location, such as one controlling device input/output. This is particularly more likely to occur in programming languages such as C which use pointer arithmetic or do not check array bounds automatically.

Unix

On Unix-like systems, the superuser (commonly known as 'root') owns all the privileges. Ordinary users are granted only enough permissions to accomplish their most common tasks.

Unprivileged users usually cannot:

  • Adjust kernel options.
  • Modify system files, or files of other users.
  • Change the owner of any files.
  • Change the runlevel (on systems with System V-style initialization).
  • Adjust ulimits or disk quotas.
  • Start or stop daemons.
  • Signal processes of other users.
  • Create device nodes.
  • Create or remove users or groups.
  • Mount or unmount volumes, although it is becoming common to allow regular users to mount and unmount removable media, such as Compact Discs. This is typically accomplished via FUSE.
  • Execute the contents of any sbin/ directory, although it is becoming common to simply restrict the behavior of such programs when executed by regular users.
  • Bind ports below 1024.

Windows NT

On Windows NT-based systems, privileges are delegated in varying degrees. These delegations can be defined using the Local Security Policy Manager (SECPOL.MSC). The following is an abbreviated list of the default assignments:

  • 'NT AUTHORITY\System' is the closest equivalent to the Superuser on Unix-like systems. It has many of the privileges of a classic Unix superuser, such as being a trustee on every file created
  • 'Administrator' is one of the closest equivalents to the Superuser on Unix-like systems. However, this user cannot override as many of the operating system's protections as the Superuser can.
  • Members of the 'Administrators' group have privileges almost equal to 'Administrator'.
  • Members of the 'Power Users' group have the ability to install programs and backup the system.
  • Members of the 'Users' group are the equivalent to unprivileged users on Unix-like systems.

Privileges are effectively defeated on Windows NT-based systems that do not use the NTFS file system, as they cannot administer permissions on files or directories.

See also


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Privilege (disambiguation) — A privilege is a permission granted by law or other rules.Privilege may also refer to: *Privilege (evidence), rules excluding certain confidential communication from being admissible as evidence in court *Privilege (album), an album by Ivor… …   Wikipedia

  • Privilege revocation — is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away. Information theory Honoring the Principle of least privilege at a granularity provided by the base system… …   Wikipedia

  • Privilege Management Infrastructure — Privilege Management is the process of managing user authorisations based on the ITU T Recommendation X.509. The 2001 edition of X.509 [1] specifies most (but not all) of the components of a Privilege Management Infrastructure (PMI), based on… …   Wikipedia

  • Principle of least privilege — In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment… …   Wikipedia

  • Kernel (computing) — A kernel connects the application software to the hardware of a computer In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware… …   Wikipedia

  • Bishop Stopford's Maths and Computing School — Infobox Secondary school name = Bishop Stopford s Maths Computing School native name = motto = animus noster dei gloria established = 1967 type = Voluntary aided [ [http://www.bishopstopfords.enfield.sch.uk/i governors.php School web sit:… …   Wikipedia

  • Trojan horse (computing) — Beast, a Windows based backdoor Trojan horse A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms… …   Wikipedia

  • Vulnerability (computing) — In computer security, the term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware,… …   Wikipedia

  • Redirection (computing) — In computing, Redirection is a function common to most command line interpreters such as the various Unix shells which allow standard streams to be redirected to user specified locations.Programmatically, it is done with the dup2(2) system call,… …   Wikipedia

  • Preemption (computing) — Pre emption or preemption in computing is the act of temporarily interrupting a task being carried out by a computer system, without requiring its cooperation, and with the intention of resuming the task at a later time. Such a change is known as …   Wikipedia