Thursday, July 17, 2008

No privilege escalation

Consider an operating system with no privilege escalation, other than reboot to Administrator Mode.

So long as there exist legitimate means of superuser access, for example, the su or sudo commands, there is guaranteed to be potential for illegitimate privilege escalation. Is it possible to design an OS so that privilege escalation, legitimate or otherwise, is impossible on a running system?

Unfortunately, for general purpose systems, we care more about privilege separation than nonescalation. But perhaps this no-escalation OS might be useful for certain single-purpose single-user systems, or as part of a larger solution involving virtualization.

No comments :