Frequently Asked Question

What is the principle of least privilege and why does it underpin everything?

The principle of least privilege says that every user, process, and service should be granted exactly the permissions it needs to do its job and no more. It is older than Linux, Saltzer and Schroeder articulated it in their 1975 paper on protection, and it underpins almost every other practice in this chapter. Running a database as its own non-root user, scoping sudo rules to a single command, dropping kernel capabilities a daemon does not need, and restricting a service to read-only paths via systemd directives are all specialisations of the same idea.

The reason it matters is that exploits do not arrive with a label saying which privileges they will use. A bug in a web server is unavoidable; whether it lets the attacker read /etc/shadow, install a rootkit, or pivot to other hosts is decided almost entirely by how much privilege the web server held when the bug fired. If it was running as www-data with no write access outside /var/www, the blast radius is small. If it was running as root inside a container with the host filesystem mounted, the blast radius is everything.

Treat every privilege grant as a question rather than a default. Does this cron job really need root? Does this CI container really need network access? Does this developer really need sudo on production? Most of the time the honest answer is no, and the smaller the answer, the smaller your worst-case incident.