Transfer from http://blog.csdn.net/todd911/article/details/16370577
In UNIX systems, privileges are based on user and group IDs, and when programs need to add privileges or need access to resources that are not currently allowed, we need to replace our own
User ID or group ID, so that the new ID has the appropriate privileges or access rights. Similarly, when a program needs to reduce its privileges or block access to certain resources, it also needs to
Replace the user ID or group ID so that the new ID does not have the appropriate privileges or the ability to access those resources.
You can use the SETUID function to set the actual user ID and valid ID, similar to this, you can set the actual group ID and valid group ID using the Setgid function.
[CPP]View Plaincopy
- #include <unistd.h>
- int setuid (uid_t uid);
- int Setgid (gid_t gid);
- Two function return value: Returns 0 if successful, or 1 if an error occurs.
POSIX.1 contains two functions Seteuid and Setegid, which are similar to setuid and Setgid, but only the valid user ID and valid group ID are changed.
[CPP]View Plaincopy
- #include <unistd.h>
- int Seteuid (uid_t uid);
- int Setegid (gid_t gid);
- Two function return value, if successful return 0, error returns-1.
The rules for changing the user ID are as follows: (everything described by the user ID applies to the group ID)
1. If the process has superset user privileges, the SETUID function sets the actual user ID, the valid user ID, and the saved settings user ID to UID.
2. If the process does not have superuser privileges, but the UID equals the actual user ID or the saved set user ID, then setuid only sets the valid user ID to UID and does not change the actual user ID
and save the Set user ID.
3. If none of the above two conditions are met, set errno to Eperm and return-1.
Note the following points about the three user IDs maintained by the kernel:
1. Only the superuser process can change the actual user ID, usually the actual user ID is set by the login program when the user logs in, and will never change it.
2. The EXEC function sets a valid user ID only if the user ID bit is set on the program file. You can call setuid at any time to set a valid user ID to the actual
User ID or the saved settings user ID. Naturally, you cannot set a valid user ID to any random value.
3. Saved settings The user ID is a valid user ID that is copied by exec, and if the set user ID of the file is set, the exec sets the process's valid based on the user ID of the file.
After the user ID, save the copy.
The following table lists the different ways to change these three user IDs.
The following is an example of how to save a set user ID .
The man program may have to perform many other commands to process files containing the manual pages that need to be displayed. To prevent the command from being spoofed to run incorrectly or to rewrite the wrong file, the man command
You have to switch between the two permissions: the permissions of the user running the Man command, and the permissions of the user who owns the man executable file. Here are the steps to work:
The 1.man program file is owned by a user named man, and its set user ID bit is set. When we exec this program, about the user ID gets:
The actual user id= our user ID
Effective user Id=man
Saved settings for user Id=man
The 2.man program accesses the required profiles and manuals pages, which are owned by a user named man, because the valid user ID is
can access these files.
3. When man runs either command on our behalf, it calls Setuid. Because we are not the superuser process, we only change the valid user ID. At this time
The actual user id= our user ID
Valid user id= Our user ID (changed)
Saved settings for user Id=man
The man process is now running with our user ID as its valid user ID. It can safely execute any filter program on our behalf.
4. When the filter operation is finished, man calls Setuid (Euid), where Euid is the user ID of the number user man. Because the setuid parameter equals
The set user ID is saved, so this invocation is allowed. Now get:
The actual user id= our user ID
Valid user Id=man (changed)
Saved settings for user Id=man
5. Because the man program has a valid user ID, it can now manipulate its files.
This step is so complicated ...
Change user ID and group ID