concept

Least Privilege

A security principle that grants each user, service, or process only the minimum access it needs to do its job and nothing more.

Least privilege is a security principle that states every user, service, or process should have access to exactly what it needs to function and nothing beyond that.

Why it matters for a home lab

Self hosted infrastructure is a collection of interconnected services, each with access to parts of the underlying system. A media server that can write to every folder on the machine has far more access than it needs. A user account that can administer every service is more powerful than is necessary for day to day use.

The principle of least privilege keeps the blast radius of any failure small. If a service is misconfigured or compromised, the damage is limited to what that service had permission to reach. A container that only has access to a single directory cannot touch anything outside it.

What this looks like in practice

In a Docker home lab, least privilege means mounting only the specific volumes a container needs, not the entire file system. It means running containers as non-root users where the application supports it. It means not exposing management interfaces to the public internet when they only need to be accessible on the local network.

When granting remote access via a VPN, the same logic applies. A device enrolled in a tailnet to check Home Assistant does not need access to every other service on the network. Tailscale supports access control rules that limit exactly which devices can reach which services.

Least privilege is not a one time decision. It is something to revisit as a home lab grows and new services are added.