Privsep and privdrop

In 1997, Daniel J. Bernstein published qmail, composed of several programs with different privileges interacting with each other, with only a couple of them running a root, to reduce the attack surface.

Around the same time, postfix used the same approach.

In 2002, Niels Provos implemented privsep in OpenSSH.

Nowadays, a lot of network-facing programs and services are dropping their privileges as soon as possible in OpenBSD: privdrop: Ping, portmap, traceroute, rwalld, pppd, spamd, httpd, named, authpf, etc.spamd, httpd, named, authpf, …

In February 2023, Floran Obser published a nice article on the topic: Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD.

When it’s not possible to drop privileges, privilege separation is used, for example in bgpd, dhclient, ldapd, npppd, ntpd, nppd, ospfd, radiusd, sshd, relayd, opensmtpd, snmpd, syslogd, xlock, …

In 2023, Dave Voutila published a paper and gave an associated talk at AsiaBSDCon 2023 about privilege separation and dropping in OpenBSD’s hypervisior, vmd(8), as well as a healthy dose of pledge and unveil applied on it. This is amazing work.

As Ivan Fratric said in 2019:

Empirical evidence suggests that attack surface reduction is one of the most impactful (if not the most impatful) things that can be done for product security. Going the opposite way is… disappointing.