Privilege revocation (computing)

Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away.

Honoring the Principle of least privilege at a granularity provided by the base system such as sandboxing of (to that point successful) attacks to an unprivileged user account; helps in reliability of computing services provided by the system. As the chances of restarting such a process are better, and other services on the same machine aren't effected (or at least probably not as much as in the alternative case: i.e. a privileged process gone haywire instead).

In computing security privilege revocation is a measure taken by a program to protect the system against misuse of itself.

Network service daemons, or administrative utilities with setuid bits set, that have to do some privileged operation only at program loadtime (such as open a raw socket or an Internet socket in the well known ports range) are less of a security risk should they change users to some unprivileged account after so doing. An action otherwise known as dropping root under Unix-like operating systems.

In law the general term is often used when discussing some paper, such as a drivers licence, being voided after a (negative) condition is met by the holder.

• State of Rhode Island General Assembly AN ACT RELATING TO SUSPENSION OF SCHOOL BUS DRIVER'S CERTIFICATES CHAPTER 36, 97-H 5836 am, Approved July 1 1997
• Protection Profile for Privilege-Directed Content Authoriszor Ltd. Ref: Auth_CC/PP/DES/0 2000
• Timothy Fraser: LOMAC: Low Water-Mark Integrity Protection for COTS Environments
• Linux Standard Base Core Specification 3.1 Chapter 21. Users & Groups 21.2. User & Group Names

• Privilege bracketing
• Privilege escalation
• Defensive programming
• nobody (username)

• Theo de Raadt: Exploit Mitigation Techniques (in OpenBSD, of course)