Privilege revocation (computing)

This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (December 2008) (Learn how and when to remove this message)

Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away.

Privileges maybe revoked either to aid reliability of computing services provided by the system. As the chances of restarting such a process are better, and other services on the same machine aren't effected (or at least probably not as much as in the alternative case: i.e. a privileged process gone haywire instead). Or to enforce authoritative mandate.

In computing security privilege revocation is a measure taken by a program to protect the system against misuse of itself. Honoring the principle of least privilege at a granularity provided by the base system such as sandboxing of (to that point successful) attacks to an unprivileged user account; this to helps reduce risks of escalation of privileges.

Privilege revocation is a variant of privilege separation whereby the program terminates the privileged part immediately after it has served its purpose. Revocation of privileges is a technique of defensive programming.

In law the general term is often used when discussing some paper, such as a drivers licence<ref>tate of Rhode Island General Assembly, AN ACT RELATING TO SUSPENSION OF SCHOOL BUS DRIVER'S CERTIFICATES, CHAPTER 36, 97-H 5836 am, Approved July 1 1997, being voided after a (negative) condition is met by the holder.

• Protection Profile for Privilege-Directed Content Authoriszor Ltd, Ref: Auth_CC/PP/DES/01, Issue 1.3, 22 December 2000
• LOMAC: Low Water-Mark Integrity Protection for COTS Environments by Timothy Fraser