CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Principle of Least Privilege

General PHP 5.0+ Intermediate
debt(d8/e6/b6/t6)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9), slightly better at d8 because semgrep can flag some patterns (root processes, GRANT ALL) but most over-privilege is invisible until a breach. detection_hints.automated is 'no'.

e6 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7), slightly easier at e6 because while quick_fix sounds simple ('give minimum permissions'), in practice tightening DB grants, process users, API key scopes, and service accounts spans infrastructure, deployment, and code — not a one-line fix.

b6 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7), slightly less at b6 because applies_to spans web/api/cli/queue-worker contexts and shapes how every component is provisioned and deployed, but it's an enabling discipline rather than a single load-bearing abstraction.

t6 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), slightly less at t6 because the misconception (that PoLP only applies to user accounts/DB permissions) leads developers to miss API tokens, service accounts, process users, and extension scope — a broad blind spot but not behavior-contradicting.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

PoLP least privilege minimum privilege principle

TL;DR

Every component should operate with the minimum permissions required to do its job — nothing more.

Explanation

PoLP limits the blast radius of a compromise. A database user that can only SELECT and INSERT cannot DROP tables if SQL injection occurs. A PHP process that can only write to /var/www/uploads cannot overwrite system files if file upload validation fails. Apply PoLP at every layer: database users, OS file permissions, API token scopes, and PHP function allow-lists. Regularly audit what permissions are actually needed vs. what is granted.

Common Misconception

Least privilege only applies to user accounts and database permissions. It applies to every access decision — API tokens scoped to only needed endpoints, service accounts with only required permissions, process users with minimal filesystem access, and PHP code that requests only the extensions it needs.

Why It Matters

Every component should have only the permissions it needs to do its job — limiting blast radius so a compromised component cannot access resources it was never meant to touch.

Common Mistakes

  • Database users with GRANT ALL instead of SELECT, INSERT, UPDATE on specific tables.
  • Application running as root or with sudo — a compromise gives attacker full system access.
  • API keys with write permissions for services that only need read access.
  • Developers with production database write access they never use — privileged access should be time-bounded.

Code Examples

✗ Vulnerable 
// DB user with excessive privileges:
$pdo = new PDO('mysql:host=db', 'root', 'password'); // Root user in app!
// Compromise = attacker can DROP DATABASE, create admin users, read all data

// Least privilege:
$pdo = new PDO('mysql:host=db', 'app_user', $pass);
// app_user: SELECT, INSERT, UPDATE on app_db.* only — no DROP, no GRANT
✓ Fixed 
-- DB user for the web app — only needs SELECT/INSERT/UPDATE/DELETE on app tables
-- Never run the app as root or with GRANT OPTION
CREATE USER 'webapp'@'%' IDENTIFIED BY '...secure...password...';
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'webapp'@'%';
-- Separate user for migrations (can ALTER, CREATE, DROP):
CREATE USER 'migrator'@'localhost' IDENTIFIED BY '...';
GRANT ALL PRIVILEGES ON myapp.* TO 'migrator'@'localhost';

-- PHP — never store secrets with broader permissions than needed
-- File permissions: config files 640, not 777
-- PHP-FPM process user: www-data, not root
-- open_basedir restricts PHP to its own directory tree
Added 15 Mar 2026
Edited 22 Mar 2026
Views 66

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 7 pings F 3 pings S 1 ping S 1 ping M 2 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 12 Amazonbot 9 Perplexity 9 SEMrush 5 Ahrefs 4 Google 3 Bing 3 Unknown AI 2 ChatGPT 2 Claude 1 Meta AI 1 Sogou 1 PetalBot 1
Also referenced
Privilege Escalation 75 Defence in Depth 64
How they use it
crawler 50 crawler_json 3
Related categories
security 7.9k general 3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Give each user, process, and service account only the minimum permissions needed for their specific function — no more
📦 Applies To
PHP 5.0+ web api cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Database user with root/all privileges; PHP process running as root; queue worker with admin role
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-272 CWE-250
✓ schema.org compliant