Process control-Change User ID and group ID

Source: Internet
Author: User
Tags least privilege

In UNIX systems,Privilege(For example, the expression of the current date and access control can be changed (for example, whether a specific file can be read or written ))Is based on the user ID and group ID. When the program needs to add privileges or access resources that are not currently allowed to access, we need to change our user ID or group ID so that the new ID has the appropriate privileges or access permissions. Similarly, when a program needs to lower its privileges or block access to certain resources, it also needs to change the user ID or group ID, so that the new ID does not have the corresponding privileges or the ability to access these resources.

In general, when designing an application, we always try to useLeast privilege Model. According to this model, our program should only have the minimum privilege required to complete a given task. This reduces the possibility of damage to security.

You can use the setuid function to set the actual user ID and valid user ID. Similarly, you can use the setgid function to set the actual group ID and valid group ID.

#include <unistd.h>-

There are several rules about who can change the ID. Now considerRules for changing user IDs(All information about user IDs applies to group IDs ).

For the ID associated with the process, see:Http://www.cnblogs.com/nufangrensheng/p/3501832.html

(1) If a process has the superuser privilege, the setuid function sets the actual user ID, valid user ID, and saved Set User ID to uid.

(2) If the process does not have the superuser privilege, but the uid is equal to the actual user ID or the saved user ID, setuid only sets the valid user ID as the uid. The actual user ID and the saved user ID are not changed.

(3) If neither of the preceding conditions is met, set errno to EPERM and return-1.

Pay attention to the following points for the three user IDs maintained by the kernel:

(1) only the superuser process can change the actual user ID.

(2) only when the user ID bit is set for the program file, the exec function sets a valid user ID. If the user ID bit is not set, the exec function will not change the valid user ID and maintain it as the original value. You can call setuid at any time to set the valid user ID to the actual user ID or the Set User ID to be saved (and only switch between the two IDs ). Naturally, valid user IDs cannot be set to any random value.

(3) The saved user ID is obtained by copying the valid user ID from exec. If a user ID is set for the file, the copy will be saved after exec sets a valid user ID for the process based on the user ID of the file.

Note. We cannot obtain the current value of the saved Set User ID.

Table 8-7 different methods for Changing Three user IDs

-

If the value of any of the parameters is-1, the corresponding ID should remain unchanged.

The related rules are simple: a non-privileged user can always exchange actual user IDs and valid user IDs. This allows a set user ID program to be converted to the general permissions of normal users, and then the additional permissions obtained by setting the user ID can be converted back.

2. seteuid and setegid Functions

It is similar to setuid and setgid, but only the valid user ID and valid group ID are changed.

#include <unistd.h>-

A non-privileged user can set its valid user ID to its actual user ID or the user ID it saves. For a privileged user, you can set its valid user ID to uid. (This is different from the setuid function, which changes all three user IDs ).

Figure 8-3 set functions of different user IDs

3. Group ID

All information about user IDs applies to group IDs.The additional group ID is not affected by the setgid, setregid, or setegid functions.

 

This blog is excerpted from advanced programming for UNIX environments (version 2) and used only for personal learning records. For more information about this book, see:Http://www.apuebook.com/.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.