Privilege Separation

Reduce the amount of code that runs with special privilege.
Reduces the number of programming errors occurring in privileged code path.

Programming errors in the unprivileged code paths cause no immediate privilege escalation.
Other abuse possible; maybe denial of service.

To separate privileges, we need to identify operations that require them.
Non-automatic manual process.
Usually only a few compared to operations that can be executed without privilege.