Verifying a file's access to a process includes two parts, one that determines the role of the process (which user or group it belongs to), and the other is whether the corresponding role has permissions for the action.
First look at the first part. By default, a valid role for a process is the user who is currently executing the process and the group in which it resides. However, the file has set the user ID bit and set the group ID bit (Stat.st_mode s_isuid and S_isgid) to change this default behavior and set the active role of the process to the user and group to which the file belongs. This is primarily used to resolve that the user or group executing the process does not have permission to modify the file, but has to modify the file. For example,/etc/passwd is used to set the user ID bit because passwd allows any user to modify his or her password, and only Superuser has write access to the file, so the user ID position must be set when the normal user executes the passwd change password. Just keep in mind that the role of a process can only be the user who executes it or the file it is working on.
Permissions for files include R (read), W (write), and X (execute) for users, groups, and other roles. When you examine permissions according to the process role, there are two types of file rights checksum and directory permission checksums. File permission verification is relatively simple, in the open file to perform the operation of the file (O_rdonly, o_wronly and O_RDWR), or to execute a file, as long as the right to determine whether it can, the specific rules after the article. The directory also has permissions, primarily restricting the operations of the files to which it belongs, including:
1. If you want to open a file, you must have execute permissions on all directories in the file path (that is, if the search file requires permission to execute the directory), such as opening file/home/work/foo, you must have execute permissions on/,/home and/home/work three directories.
2. To delete or add a file from a directory, you must have write and execute permissions on the directory, and you do not need to have permission on the file to delete the file.
3. To get all the files in a directory, you need to have read permissions on the directory.
When you open, create, and delete files, the kernel checks for access rights, as follows:
1. Access is allowed if the active user ID of the process is 0 (that is, a superuser).
2. If the active user ID of the process is equal to the owner ID of the file (that is, the process owns the file), verify that the owner has permission to do the operation, or deny it if it has that permission.
3. If the valid group ID of the process is the group ID of the file, verify that the group has permission to do so, or deny it if it has that permission.
4. Perform permission checks on other roles, and if you have this permission, access is denied.
This test method uses a valid user ID and group ID for the process, and access allows you to test whether the actual user ID and group ID of the process have that permission. However, you can only test and not use the actual role for a file operation.
When you create a file, you need to determine the ownership of the file. The user of this file is a valid user of the process, while group Id,posix allows two implementations:
1. The group ID of the new file is a valid group ID for the process.
2. The group ID of the new file is the group ID of the directory in which it resides.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
