Chapter9 Process Credentials
Each process has a set of user IDs (UID) and group IDs (GID) that are represented by numbers. These IDs are sometimes referred to as process credentials.
1: Actual user ID and actual group ID
2: Valid user ID and valid group ID
3: Saved Set-user-id and saved Set-group-id
4: File system user ID and file system group ID
5: Secondary Group ID
9.1 Actual User ID and actual group ID
The actual user ID and the actual group ID determine the users and groups to which the process belongs. As part of the logon process, the login shell reads the third and fourth fields of the corresponding user password record from the/etc/passed file, set to its actual user ID and the actual group ID. Creates a new process that inherits these IDs from its parent process.
9.2 Valid User ID and valid group ID
A process with a valid user ID of 0 (root user ID) has all the privileges of the superuser. Such a process is called a privileged-level process. Two system calls can only be performed by privileged-level processes.
9.3 Set-user-id and Set-group-id programs
The Set-user-id program sets the valid user ID of the process to the user ID of the executable file, thus obtaining permissions that are not normally available. The Set-group-id program implements similar tasks for process valid group IDs.
As with other files, the user ID and group ID of the executable file determine the ownership of the file. In addition, the executable file has two special permission bits Set-user-id bit and set-group-id bit. ‘
eg
$su
Password:
#ls-L Prog
-rwxr-xr-x1rootroot302585jun 15:05 Prog
#chmod U+s Prog
#chmod G+s Prog
#ls-L Prog
-rwsr-xr-x1rootroot302585jun 15:05 Prog
9.4 Save Set-user-id and save Set-group-id
9.5 File system User ID and group ID
In Linux systems, for file system operations such as opening files, changing file owners, and modifying file permissions, the file system user ID and group ID (combined with the secondary group ID), and not the valid user ID and group ID, determine what permissions to operate.
9.6 Secondary Group ID
The secondary group ID is used to identify several additional groups to which the process belongs.
9.7 Getting and modifying process credentials
The Linux system-specific Proc/pid/status file can be used to obtain credentials for any process by checking the information of the UID, GID, and groups.
1:cap_setuid ability allows the process to arbitrarily modify its user ID
2:cap_setgid ability allows a process to arbitrarily modify its group ID
9.7.1 Gets and modifies the actual, valid, and saved setting identity
to get the actual and valid ID
system calls Getuid () and Getgid () to return the actual user ID and group ID of the calling process, respectively. The system calls Geteuid () and Getegid () implement similar functionality to the valid ID of the process.
#include <unistd.h>
uid_t getuid (void);
uid_t geteuid (void);
gid_t getgid (void);
git_t getegid (void);
Modify Valid ID:
#include <unistd.h>
int setuid (uid_t uid);
int Setgid (git_t gid);
Note:
1: When a non-privileged process calls setuid (), only the valid user ID of the process can be modified.
2: When the privileged process takes a non-0 parameter with setuid (), its actual user ID, valid user ID, and save Set-user-id are all set to the value referred to by the UID parameter. The
process can use SETEUID () to modify its valid user ID, and can use Setegid () to modify its valid group ID
#include <unistd.h>
int seteuid (uid_t euid);
int Setegid (git_t egid);
Modify the actual ID and valid ID;
#include <unistd.h>
int Setreuid (uid_t ruid, uid_t euid);
int Setrguid (git_t rgid, git_t egid);
First parameter: New actual ID
Second parameter: New valid ID
Get actual, valid, and save settings ID
In most UNIX implementations, a process cannot directly get (or modify) its saved Set-user-id and save Set-group-id values. Linux, however, provides two (non-standard) system calls to implement this function: Getresuid () and Getresgid ().
#define _gnu_source
#include <unistd.h>
int Getresuid (uid_t *ruid, uid_t *euid, uit_t *suid);
int Getresgid (git_t *rgid, gid_t *egid, git_t *sgid);
Modify the actual, valid, and save settings ID
9.7.2 Obtaining and modifying file system IDs
"Linux_unix system Programming" CHAPTER9 process credentials