2003 USENIX Security1:
Services that require special privilege for their operation are critically sensitive. A programming error here may allow an adversary to obtain and abuse the special privilege.
Privilege Seperation: a generic approach to limit the scope of programming bugs. The basic priciple of privilege separation is to reduce the amount of code that runs with special privilege without affecting or limiting the functionality of the service. This narrows the exposure to bugs in code that is executed with privileges.
Ideally, the only consequence of an error in a privilege separated service is denial of service to the adversary itself.
Reference:
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?