Actual user ID, valid user ID, and set user ID for saving

Source: Internet
Author: User
Tags superuser permission

Actual user ID, valid user ID, and save Set user ID real user ID: the actual user ID, which is the valid user ID of the process executor, saved set-user-ID: Save the set user ID as a copy of the valid user ID, you can restore the original effectiv user ID after executing the exec call. the above three IDs are relative to the process. set-user-ID: set the user ID, which is relative to the file. sets the set-user-ID executable program. During execution, both the valid user ID and saved set-uesr-ID of the process are the user IDs of the program file, in some cases, the real user ID and valid user ID are not necessarily equal. such programs are called SUID programs, which have special purposes. typical examples: passwd program and ping program. passwd program is Modify the user password. In this case, modify the/etc/passwd or the/etc/shadow file (if necessary). However, you do not have the permission to modify the two files. the passwd Program sets the set-user-ID bit, and all of the files are root. Therefore, the user generally has the root permission during execution. this is also true for the ping program, because the ping program requires the root permission to generate the original socket (raw. however, the general reason why users can use the ping program is that all ping programs are root users and it sets the set-user-ID bit. set the "set-user-ID" bits for an executable program: PPS @ FSSR: ~> Su root Password: FSSR:/home/pds # chown root suidFSSR:/home/pds # ll suid-rwxr-xr-x 1 root users 7702 suidFSSR: /home/PPS # chmod u + s suidFSSR:/home/pds # ll suid-rwsr-xr-x 1 root users 7702 suidFSSR: /home/pds # exitexit is relative to the set-user-ID executable program, which is called a non-SUID program, the real user ID is equal to the valid user ID. setuid can be used to modify the values of real user ID, valid user ID, and saved set-user-ID. this is the original function Type: int setuid (uid_t uid) 1. if the user (the currently called user) has the superuser permission, the real user ID, valid user ID, and saved set-user-ID are both set to the value of the uid parameter. 2. if the user does not have the superuser permission, the valid user ID is set to the value of the parameter uid only when the uid parameter is set to real user ID or saved set-user-ID, real user ID and saved set-user-ID remain unchanged; otherwise, an error is returned. this is a summary of several common Unix concepts. The following is an explanation. first, we need to clarify that these concepts are related to processes. real user ID indicates who actually executes the process. valid user ID is mainly used to verify the File Access Permissions obtained by the process during execution, that is to say, when a process accesses a file, it checks the permission of the process. E user ID ", saved set-user-ID is saved only when the valid user ID is changed. generally, the real user ID is the valid user ID of the process, but after the set-user-ID bit is set for the executable program to run, the valid user ID of a process becomes the owner user ID of the file, and the "saved set-user-ID" of the process becomes the "valid user ID" of the process ", that is, the owner user ID of the executable program. When the process executes some operations related to file access permissions, the system checks the valid user ID of the process. why is a "saved set-user-ID" required "? Because when the process does not have the superuser permission, when a process sets "valid user ID", it must compare the ID to be set with the "real user ID" or "saved set-user-ID" of the process. 1) If the process has superuser privileges, the setuid function sets the real user ID, valid user ID, and saved set-user-ID to uid.2) if the process does not have superuser privileges, but uid equals either the real user ID or the saved set-user-ID, setuidsets only the valid tive user ID to uid. the real user ID and the saved set-user-ID are not changed.3) If neither of these two conditions is true, errno is set to EPERM, and 1 is returned that is: 1) when a user has the superuser permission, the id set by the setuid function takes effect for all three. 2) otherwise, this id takes effect only when the ID is real user ID or saved set-user-id. 3) otherwise, the setuid function call fails. that is to say, this saved set-user-ID is more effective when the process switches its own valid user ID. note that there is no API to obtain the saved set-user-ID of a process. It only works when the system calls the setuid function. the original words about this in APUE2 are as follows: Note that we can obtain only the current value of the real user ID and the valid user ID with the functions getuid andgeteuid from Section 8.2. we can't obtain the current value of the saved set-user-ID. let's give an example to illustrate the problem. In this case, there are two users A and B in the system, and one executable program proc created by B, the set-user-id bit of the executable program has been set. when user A executes the program proc, the real user ID of the program is the user ID of A, valid user ID = B, and saved set-user-ID = B. if the process ends operations on some files restricted to access by user B, the Program sets the valid user ID back to A, that is, at this time: real user ID = user ID of A, valid tive user ID = user ID of A, and saved set-user-ID = user ID of B. the reason for this change is that the above-mentioned situation 2): This ID is the real user ID of the process. finally, it is assumed that the process needs to switch the valid user ID to B again for various reasons, but because the saved set-user-ID of the process cannot be obtained through the API (the user ID with the value of B ), therefore, you can only obtain this information through two ways (there may be another way): a. Save the valid user ID before setting the valid user ID to A. Its value is the user ID of B. b) Call the getpwnam ("B") function. In the returned struct passwd * pointer, the member pw_uid stores the ID of user B. in this way, the call to setuid (user ID of B) will be successful, because it is also in the case described above 2): The ID is the same as the saved set-user-ID of the process. the explanations of these values in APUE2 are involved in section4.4 and section8.11.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.