Design

Principle of least privilege:
Every program and every user should operate using the least amount of privilege necessary to complete the job.

Privilege Elevation:
Sometimes we need to increase the privilege of applications.
Higher privilege required only for a few operations.
Elevate the privilege of a single system call instead of entire application.
Policy determines which system calls may be elevated.

Example:
Ntpd occasionally requires privilege to set system time.
Run unprivileged and elevate just settimeofday system call.