Only Grant Necessary Privileges

It is often convenient during development to remove all potential restrictions that might hinder your progress in any way. The classic example of this is in CGI programming, whereby the Web server must have execute privileges on the CGI script in order to run it. Insufficient privileges will result in an error, so a common method used to rule out privilege problems when debugging a script was to grant read, write, and execute privileges to everyone (chmod 777 on Unix), removing all access restrictions. Quite often, these permissions would remain, and thus unnecessary privileges would be left intact, creating a security hole. The approach taken was to get the application working and then consider the job complete.

Every access restriction that is removed lessens security, even if only slightly. Thus, it is always best to first consider exactly which privileges are necessary to achieve the desired task. Even required privileges lessen security, so you should take the approach of managing with the fewest privileges possible. This applies not only to the filesystem permissions used in your application but also within your programming logic itself. Some developers make the mistake of only considering legitimate uses of their application during the design.

For example, consider an application that is being created for an office assistant and an office manager. The assistant only needs the ability to examine data in the application, whereas the manager also wants to be able to alter the data. As it is much easier to create an application that does not distinguish between the two, the assistant might be given the ability to alter data as well due to the trustworthiness of the assistant. What the developer does not consider is a compromise of the assistant’s account. Whereas a better design would make such a compromise risk exposing sensitive data, the excessive privileges allow the imposter to alter the sensitive data as well.