Implementation
The kernel always runs with maximum privileges since it is the operating system core and has hardware access. One of the principal responsibilities of an operating system, particularly a multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Even if there is a way for the CPU to recover without a hard reset, the code that resumes execution is not always what it should be. Security continues to be enforced, but the operating system cannot respond to the failure properly because detection of the failure was not possible. This is because kernel execution either halted or the program counter resumed execution from somewhere in endless, and—usually—non-functional loop.
If execution picks up, after the crash, by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs—or even if execution picks up from an unexpected location—what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In the Intel x86 architecture, the manufacturer designed four (ring 0 through ring 3) running "modes".
As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of fork. An executable file that performs a privileged function—thereby technically constituting a component of the TCB, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges, a logical extension of the notions of set user ID and set group ID. The inheritance of file privileges by a process are determined by the semantics of the exec family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.
Read more about this topic: Principle Of Least Privilege