4.1. PRIVILEGE SEPARATION

A process that can be controlled by an attacker could potentially be used to perform any task for which the process has the required privileges. If the process is used only for making network connections but also has the ability to replace files in the /Applications folder, then an attacker can subvert it for this second purpose, which isn't even a feature of the application. It is desirable to minimize the rights given to any process in an application, so that the risk associated with threats unrelated to its intended function is reduced.

The principle of least privilege (PoLP) is a design rule that takes such mitigation into account. A system designed according to the PoLP has no more privileges than are required to do its work. There are actually two principles at work here: first, that an application should never have a privilege it is not designed ever to use, and second, that if it needs to gain additional privileges to perform a task it should relinquish them as soon as it has completed that task. The first of these principles reduces the risk that an application can be hijacked to do something unrelated to its function, and the second reduces the window of opportunity for exploiting privileges that the application uses only infrequently.