Privilege Separation Separation: 1. Set up objects that require privilege 2. Set up a socketpair(), then fork() 3a. Large process chroots to jail, then revokes privs 3b. Little process retains privs 4. Perform most tasks in large process Asking little process to do jobs that require privilege Requires complicated and very detailed programming sshd, syslogd, pflogd, isakmpd, bgpd, tcpdump, named X server, xdm, dhclient Very difficult to develop