Linux process identifier specific explanation 1

Last Update:2017-04-25 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

each process has an actual user identifier and an actual group identifier , which is always the user identifier and group identifier of the user who started the process.

A valid user identifier and valid group identifier for a process may be more important, and they are used to determine whether a user is able to access a certain file. In general, they are consistent with the actual user identifier and the actual group identifier.

There are several system calls that can be used to get the user identifier and group identifier of the process, as described in the following procedure:

/* Fetch the actual user identifier for the process */
Uid=getuid ();
/* Take a valid user identifier for the process */
Euid=geteuid ();
/* Take the actual group identifier for the process */
Gid=getgid ();
/* Fetch valid group identifier for process */
Egid=getegid ();
In addition, there are two system calls that can be used to set a valid user identifier and a valid group identifier for the process, using the following format:
/* Set a valid user identifier for the process */
Status=setuid (NEWUID);
/* Set a valid group identifier for the process */
Status=setgid (NEWID)

Called through these two systems. The process can change its own identifiers, and thus change its own permissions (since permissions in Linux are inferred from identifiers).

For example, a process created by a root can discard some of the root permissions in such a way as to retain only the permissions required for the job.

This can improve the security of the system.

<span style= "FONT-SIZE:14PX;" > #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <fcntl.h> #include <stdlib.h>int Main (int argc,char* argv[]) {int fd;fd = fork (), switch (FD) {case-1:{perror ("fork"); exit ( -1);} break Case  0:{  //START process user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//set User ID to 1000. change user Rights setuid (1000);//changed user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//root User Talent View Shadow file, Test permissions Change EXECLP ("Cat", "cat", "/etc/shadow", NULL);} break;default:{//START process user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//root User Talent View Shadow file EXECLP ("Cat" , "Cat", "/etc/shadow", NULL);} break;} return 0;} </span>

To execute the result under root privileges:

[Email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Cat:/etc/shadow: Insufficient permissions
Uid=0,euid=0
root:$ $MG 0tts8ywcpokmrg$tvrzqkq6ik52ucasgfhimkdvhb7zp.rpqd5go/1w07eyqj0jgue9s/uijutyyyqa9irm2vwj7r.dway.5ixip0 : 15195:0:99999:7:::
Bin:*:14789:0:99999:7:::

However, it is important to note that once the root process abandons the root privilege in this way, it will no longer be able to get root again through the setuid () call, because a process with a non-root identifier cannot set the root identifier. The two other systems that can use Linux are then called Seteuid () and Setegid (). It is called in exactly the same way as the first two. However, they are based on the identifier of the process program file to infer the setting. As a result, a root program file can seteuid itself again () to root at any time.

<span style= "FONT-SIZE:14PX;" > #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <fcntl.h> #include <stdlib.h>int Main (int argc,char* argv[]) {//START process user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());// Set the user ID to 1000. change user Rights setuid (1000);//changed user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//set User ID to 0, change user rights to Rootif (-1 = = setuid (0)) {perror ("setuid to Root"); exit (-1);} Changed user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ()); return 0;} </span>

Root execution results:

[Email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Setuid to Root:operation not permitted

<span style= "FONT-SIZE:14PX;" > #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <fcntl.h> #include <stdlib.h>int Main (int argc,char* argv[]) {//START process user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());// Set the user ID to 1000. change user Rights setuid (1000);//change user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//set User ID to 1000, change user rights to self if (-1 = = setuid (+)) {perror ("setuid to Root"); exit (-1);} Changed user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ()); return 0;} </span>

Execution Result:

The above example shows that a process that is not referenced by a superuser can only set its valid user and valid group identifiers again to the de facto user identifier and the actual group identifier.

Processes referenced by the superuser are free to set their valid user identifiers and valid group identifiers.

Use Setuid () above to permanently change permissions. Now use Seteuid () to temporarily change user permissions:

#include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <fcntl.h> #include < Stdlib.h>int Main (int argc,char* argv[]) {//START process user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());// Set a valid user ID of 1000. Temporarily change user Rights seteuid (1000);//change user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ());//Set valid user ID to 0, change user permissions for own if ( -1 = = setuid (0)) {perror ("setuid to Root"); exit (-1);} Changed user ID and valid user idprintf ("uid=%d,euid=%d\n", Getuid (), Geteuid ()); return 0;}

Execution Result:

#./a.out

Uid=0,euid=0

uid=0,euid=1000

Uid=0,euid=0

[Email protected] file]#./a.out
Uid=0,euid=0
uid=0,euid=1000
Uid=0,euid=0[[email protected] file]#./a.out
Uid=0,euid=0
uid=0,euid=1000
Uid=0,euid=0

[Email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Uid=1000,euid=1000[[email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Uid=1000,euid=1000[[email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Uid=1000,euid=1000[[email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
Uid=1000,euid=1000[[email protected] file]#./a.out
Uid=0,euid=0
uid=1000,euid=1000
uid=1000,euid=1000

Linux process identifier specific explanation 1

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Linux process identifier specific explanation 1

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Linux process identifier specific explanation 1

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support