Failure to drop privileges when reasonable

Revision as of 15:21, 4 August 2006 by Weilin Zhong (Talk | contribs)

Jump to: navigation, search


Failing to drop privileges when it is reasonable to do so results in a lengthened time during which exploitation may result in unnecessarily negative consequences.


  • Access control: An attacker may be able to access resources with the elevated privilege that he should not have been able to access. This is particularly likely in conjunction with another flaw - e.g., a buffer overflow.

Exposure period

  • Design: Privilege separation decisions should be made and enforced at the architectural design phase of development.


  • Languages: Any
  • Platforms: All

Required resources




Likelihood of exploit


Avoidance and mitigation

  • Design: Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.


The failure to drop system privileges when it is reasonable to do so is not a vulnerability by itself. It does, however, serve to significantly increase the Severity of other vulnerabilities. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time.

Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege.

If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically.


In C/C++:

//Do some important stuff
// Do some non privlidged stuff.

In Java:

method() {
  AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
      //Insert all code here

Related problems

  • All problems with the consequence of "Access control."