Wed 27 Jun 2012
Running with Least Privilege: Software Vegetarianism
Posted by Matthew E under Uncategorized
1 Comment
The term “Least Privilege” refers to the ideal of limiting a system to the bare minimum of resources it needs to function. As it applies to using a computer for work, it can mean using your computer while running under a user account that does not have full-time (or any) super-user or Administrator rights.
This has many benefits, chiefly limiting a system’s exposure to accidental changes or malware attacks. For software developers it has the added benefit of ensuring your software will install and function properly in such an environment. But developers frequently need those elevated rights for installing utilities, configuring the system for use-case testing, and using 3rd party tools that aren’t access rights savvy. So while many developers are aware of this practice, they aren’t inclined to work that way themselves.
I imagine that some least-privilege-resistant developers react to their more secure peers in a way very similar to how some people react to a person that is or claims to be a vegetarian.
Reaction #1: Quiet Admiration
Sure sounds like a good idea, and is probably good for you, but I don’t think I’ve go the discipline to do it myself.
Reaction #2: Suspicion of Dedication to the Ideal
We’ve all encountered folks who claim to be “mostly” vegetarian, but do allow themselves some animal sources. Is she really running that MacBook Pro under a Standard User account? I’m pretty sure I saw a “sudo” command in that Terminal window…
Reaction #3: A Cry for Attention
Are those who are claiming to run under least privilege just trying to score “I’m better than you” points? They’re just doing it so they can blog about it and feel superior.
Reaction #4: “I’ll Convince You that You’re Wrong“
Some folks like to argue just to hear themselves talk. You know that guy gnawing on his 15th buffalo wing proclaiming that a vegetarian diet is incomplete and unhealthy? He’s the same one who’s certain that his un-patched Windows XP is just as safe as your system. And it runs faster, too.
Reaction #5: “It’s a Phase“
The shine will wear off this fad pretty soon. You’ll be eating barbecue ribs and running Admin accounts with weak passwords by year’s end.
Do you run under least privilege, or have you tried it and given up?
June 29th, 2012 at 2:04 pm
I’ve tried again and again, usually with every new release of Windows and/or the Microsoft development tools. So far I’ve found the tools themselves make it practically impossible to live that way. The same is true of pro-audio applications and video games these days. So on the whole the first thing I do is disable UAC and run as an admin. If there comes a day when the apps/tools I need every day actually work that way, then I’ll work that way. Until then my hands are largely tied.