Actual user ID, valid user ID, and saved Set User ID

Several Common Unix concepts are explained below.

First, we need to clarify that these concepts are related to processes.
Real user ID indicates who actually executes the process. valid userid is mainly used to verify the File Access Permissions obtained by the process during execution, that is, when the process accesses

The "valid user ID" of the process actually checked when the file is checked. The saved set-user-ID is saved only when the valid user ID changes.

Generally, the real User ID is the valid userid of the process. However, after the set-user-ID bit is set for the executable program to run, the valid user ID of the process

Becomes the owner user ID of the file, and the "saved set-user-ID" of the process becomes the "valid userid" of the process, that is, the owner user ID of the executable program, this process

When executing some operations related to file access permissions, the system checks the valid user ID of the process.

Why is a "saved set-user-ID" required "? When a process does not have the superuser permission, the process needs to set the ID and the process

Or "saved set-user-ID.

The explanation in apue2 is as follows:
1) if the process has superuser privileges, the setuid function setsthe real User ID, valid tive user ID, and saved set-user-

ID to uid.

2) If the process does not have superuser privileges, but uidequals either the real User ID or the saved set-user-ID, setuid

Sets only the valid user ID to uid. The real user ID and thesaved set-user-ID are not changed.

3) if neither of these two conditions is true, errno is set toeperm, and 1 is returned
That is to say:
1) when a user has super user permissions, the ID set by the setuid function takes effect for all three.
2) otherwise, this ID takes effect only when the ID is real User ID or saved set-user-id.
3) otherwise, the setuid function call fails.

That is to say, this saved set-user-ID is more effective when the process switches its own valid user ID.

Note that there is no API to obtain the savedset-user-ID of a process. It only works when the system calls the setuid function.
In apue2, the original statements about this matter are as follows:
Note that we can obtain only the current value of the real user idand the valid user ID with the functions getuid and

Geteuid from section 8.2. We can't obtain the current value ofthe saved set-user-id.

Let's take an example to illustrate the problem. In this case, there are two users A and B in the system, and one executable program proc created by B. The set-
The user-ID bit has been set.

When user a executes the program proc,
Real user id = user ID of a, valid tive user id = user ID of B, saved set-user-id = user ID of B.

If the process ends operations on some files restricted to access by user B, the Program sets the valid userid back to A, that is, at this time:
Real user id = user ID of a, valid tive user id = user ID of a, and saved set-user-id = user ID of B.

The reason for this change is that the above-mentioned situation 2): This ID is the real User ID of the process.

Finally, assume that the process needs to switch the valid user ID to B again for various reasons, but because the savedset-user-ID of the process cannot be obtained through the API (the user ID with the value of B ),

It can only be obtained through two ways (there may be another way ):
A) Save the valid user ID before setting the valid user ID to a. Its value is the user ID of B.
B) Call the getpwnam ("B") function. In the returned struct passwd * pointer, the member pw_uid stores the ID of user B.
In this way, the call to setuid (User ID of B) will be successful, because it is also in the case described above 2): The ID is the same as the savedset-user-ID of the process.

The explanations of these values in apue2 are involved in section4.4 and section8.11.

Actual user ID, valid user ID, and saved Set User ID