Privilege Separation

Unprivileged slave created by monitor:
Fork process.
Chroot to an empty directory with no rights to create files.
Set UID and GID to unused IDs.

Child uses IPC via socketpair for communication with monitor.

Privileged parent can be modeled as a finite-state machine.
Monitor accepts requests and executes them if they are allowed.
Set of allowed actions change with the state of the machine.