Process control-Change User ID and group ID

Source: Internet
Author: User
Tags least privilege

1. Change the user ID and group ID

1.1. Set the user ID and group ID

There are 6 or more IDs associated with the process, as shown below:

Actual user ID

Who are we actually?

Actual group ID

Valid user ID

Used to check File Access Permissions

Valid group ID

Additional group ID

Saved Set User ID

Saved By exec Function

ID of the Set Group to save

The actual user ID and the actual group ID identify who we are. These two fields are taken from the logon entry in the password file during logon.

The valid user ID, valid group ID, and additional group ID determine the file access permissions.

The saved set user ID and the saved set group ID contain a copy of the valid user ID and valid group ID when executing a program.

When executing a program file, the valid user ID of the process is usually the actual user ID, and the valid group ID is the actual group ID. However, if you set a special flag in the file mode word (st_mode), it means "when you execute this file, set the valid user ID of the process to the user ID (se_uid) of the file owner) ". Similarly, if another bit is set in the file mode word (st_mode), it sets the valid group ID of the Process executing the file to the file group owner ID (se_gid ). The two characters in the file mode are called set-user-ID and set-group-id ).

1.2. File Access Permissions

The st_mode value also contains the access limit for the file. 9 permission bits, obtained from <sys/STAT. h>

St_modeBlocked word

Meaning

S_irusr

User-read

S_iwusr

User-write

S_ixusr

User-execution

S_irgrp

Group-read

S_iwgrp

Group-write

S_ixgrp

Group-execution

S_iroth

Others-read

S_iwoth

Others-write

S_ixoth

Others-execution

The command chmod is used to modify these nine permission bits. This command allows the user (owner) to be displayed in the u table, g to represent the Group, and O to represent others. Each time a process opens, creates, or deletes a file, the kernel tests the file access permission, and the file owner (st_ui and st_gid) the valid ID (valid user ID and valid group ID) of the process and the additional group ID (if supported) of the process ). The two owner IDs are the nature of the file, while the two valid IDs and the additional group IDs are the nature of the process. The kernel is tested in sequence:

1). If the valid user ID of the process is 0 (Super User), access is allowed.

2). If the valid user ID of a process is equal to the owner ID of the file (that is, the process owns the file), access is allowed if the appropriate access limit of the owner is set.

3). If the valid group ID of the process or one of the additional group IDs of the process is equal to the group ID of the file, access is allowed if the appropriate permission bit of the group is set.

4). Access is allowed if the appropriate access limit is set for other users.

 

1.3. setuid and setgid functions

In Unix systems, privileges are based on user and group IDs. When the program needs to add privileges or access resources that are not currently allowed to access, we need to change our user ID or group ID so that the new ID has the appropriate privileges or access permissions. Similarly, when a program needs to lower its privileges or block access to certain resources, it also needs to change the user ID or group ID, so that the new ID no longer has the corresponding privileges or the ability to access these resources.

In general, when designing an application, we always try to use the least privilege model. The setuid function sets the actual user ID and valid user ID. The setgid function sets the actual group ID and valid group ID.

# Include <unistd. h>

Int setuid (uid_t UID );

Int setgid (gid_t GID );

 

Rules for changing user IDs:

1) if the process has the superuser privilege, the setuid function sets the actual user ID, valid user ID, and saved Set User ID to uid.

2). If the process does not have the superuser privilege, but the UID is equal to the actual user ID or the saved user ID, setuid only sets the valid user ID as the UID. The actual user ID and the saved user ID are not changed.

3) if neither of the preceding conditions is met, set errno to eperm and return-1.

 

Pay attention to the following points for the three user IDs maintained by the kernel:

1). Only the superuser process can change the actual user ID. The actual user ID is set by the login program during user logon and will never be changed. Because login is a superuser process, when it calls setuid, it sets all three user IDs.

2). The exec function sets a valid user ID only when the user ID bit is set for the program file. You can call setuid at any time to set valid user IDs to actual user IDs or saved user IDs.

3). The saved user ID is obtained by copying a valid ID from exec. If a user ID is set for the program file, the copy will be saved after exec sets a valid user ID for the process based on the user ID of the file.

Note: The getuid and geteuid functions can only obtain the current value of the actual user ID and valid user ID. Different Methods for Changing Three user IDs:

ID

Exec

Setuid (UID)

Set User IDBit disabled

Set User IDBit open

Superuser

Non-authorized user

Actual user ID

Unchanged

Unchanged

Set to uid

Unchanged

Valid user ID

Unchanged

User ID of the program file

Set to uid

Set to uid

Saved Set User ID

Copy From valid user ID

Copy From valid user ID

Set to uid

Unchanged

 

Poix.1 contains two functions: setuid and setegid. They are similar to setuid and setgid, but only change valid user IDs and valid group IDs.

# Include <unistd. h>

Int seteuid (uid_t UID );

Int setegid (gid_t GID );

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.