Tlpi-chapter 9 Process voucher

Source: Internet
Author: User
Tags chmod set set file permissions

This chapter begins to look a bit confused, searching online for an article to help understand the link address Set-user-id
1. Each process has a set of user IDs and group IDs that are digitally represented. The actual user ID (real), the actual group ID (real), the valid user ID (the effective User ID), the valid group ID (the effective group ID), Saved Set-user-id and Set-group-id, file system user ID and file system group ID, secondary group ID.
Refer to these various IDs as process credentials.
2. Actual user ID and actual group ID:
These two IDs determine the users and groups to which the process belongs. When a user logs on, the UID and GID are read from the/etc/passwd file as the actual user ID and group ID, and subsequent processes are inherited from the parent process from the actual UID and the actual GID.
3. Valid user ID and valid group ID:
When a process attempts to access various resources, the system determines the permissions granted to the process, based on the valid user ID and the valid group ID, along with the secondary group ID.
All permissions for a superuser with a valid user ID of 0 that is owned by the process. Such a process is called a privileged process, and some system calls can only be performed by a privileged level process.
The actual ID such as the general valid ID, but there are some actions that cause the two to be different.
4.set-user-id and Set-group-id Programs
The Set-user-id program can modify the valid ID of a process to the ID of the file owner to obtain permissions that are not available under normal circumstances. Set-group-id implements the same functionality. sudo, for example, can temporarily get root privileges.
You can use the chmod command to set the permission bits:
Chmodu+sprog chmod u+s Prog chmod g+s
$ ls-l Prog
-rwsr-sr-x 1 root root 302585 June 15:05 Prog
You can find that after setting Set-user-id, the x flag bit is replaced by S, and when the Set-user-id process is run, the kernel sets the UID of the process to the UID of the file owner, and the process has all permissions on the file. Similarly, if the owner of a file is root and the file can be set to Set-user-id, the kernel will set the process's valid ID to 0 (root) when a process calls Set-user-id, and the process temporarily has root permissions. Note that the ID of the process is modified, not the ID of the file.
5. Save Set-user-id and save Set-group-id.
When Set-user-id occurs, the following steps occur:
1. If the Set-user-id permission bit of the executable file is open, the valid user ID of the process is set to the owner ID of the file, and if it is not turned on, the valid ID of the process remains unchanged.
2. The value of saving set-user-id and saving Set-group-id is copied from the corresponding valid ID, regardless of whether the file being executed is set Set-user-id, replication occurs.
An example is provided:
Assuming the actual ID of a process, a valid ID, and a saved set-user-id of 1000, the ID of the process changes as follows when the root user's Set-user-id program is executed:
real=1000 effective=0 saved=0
There are a number of system calls that allow the Set-user-id program's valid user ID and the actual user ID to be switched back and forth, saved to save the effective copy.
6. File system user ID and group ID
In a Linux system, file system operations such as opening files, changing file owners, and modifying file permissions are the file system user ID and the group ID that determine their operational permissions. The general file system ID is consistent with the valid ID. It is only different when two systems that use Linux call Setfsuid () and Setfsgid ().
7. Get and modify process credentials

Sample Programs

/*************************************************************************\ * Copyright (C) Michael Kerri                   SK, 2015. * * * * * * is free software. You would use, modify, and redistribute it * * under the terms of the GNU general public License as published by the * * F Ree Software Foundation, either version 3 or (at your option) any * later version.  This are distributed without any warranty.                                    The * * The file copying.gpl-v3 for details. * \*************************************************************************//* Listing 9-1 * * IDSHOW.C Display

   All user and group identifiers associated with a process.
Note:this program uses linux-specific calls and the Linux-specific File-system user and group IDs. * #define _gnu_source #include <unistd.h> #include <sys/fsuid.h> #include <limits.h> #inClude "Ugid_functions.h"/* Usernamefromid () & Groupnamefromid () * * * * * #include "tlpi_hdr.h" #define SG_SIZE (Ngroups_
    MAX + 1) int main (int argc, char *argv[]) {uid_t ruid, Euid, suid, Fsuid;
    gid_t Rgid, Egid, Sgid, Fsgid;
    gid_t Suppgroups[sg_size];
    int numgroups, J;

    Char *p;
    if (Getresuid (&ruid, &euid, &suid) = = 1) errexit ("Getresuid");

    if (Getresgid (&rgid, &egid, &sgid) = = 1) errexit ("Getresgid"); 
       /* Attempts to change the File-system IDs are always ignored for unprivileged processes, but even
    Calls return to the current File-system IDs */fsuid = setfsuid (0);

    Fsgid = Setfsgid (0);
    printf ("UID:");
    p = usernamefromid (RUID); printf ("real=%s (%LD);", (P = = NULL)?
    "???": P, (long) ruid);
    p = usernamefromid (EUID); printf ("eff=%s (%LD);", (P = = NULL)?
    "???": P, (long) euid);
    p = usernamefromid (SUID); printf ("saved=%s (%LD);", (p = = NULL) ?
    "???": P, (long) suid);
    p = usernamefromid (FSUID); printf ("fs=%s (%LD);", (P = = NULL)?
    "???": P, (long) fsuid);

    printf ("\ n");
    printf ("GID:");
    p = groupnamefromid (Rgid); printf ("real=%s (%LD);", (P = = NULL)?
    "???": P, (long) rgid);
    p = groupnamefromid (Egid); printf ("eff=%s (%LD);", (P = = NULL)?
    "???": P, (long) egid);
    p = groupnamefromid (Sgid); printf ("saved=%s (%LD);", (P = = NULL)?
    "???": P, (long) sgid);
    p = groupnamefromid (Fsgid); printf ("fs=%s (%LD);", (P = = NULL)?
    "???": P, (long) fsgid);

    printf ("\ n");
    Numgroups = GetGroups (sg_size, suppgroups);

    if (numgroups = = 1) errexit ("getgroups");
    printf ("Supplementary groups (%d):", numgroups);
        for (j = 0; J < Numgroups; J + +) {p = Groupnamefromid (Suppgroups[j]);
    printf ("%s (%LD)", (p = = NULL)? "???": P, (long) suppgroups[j]);

    printf ("\ n");
Exit (exit_success); }

Summary:
Each process has a dry user ID and group ID associated with it. The actual ID defines where the process belongs. In most UNIX implementations, processes access to resources such as files, whose permissions are determined by a valid ID. Linux then uses the file system ID to determine access to the file, and the valid ID is used to check for additional permissions. Process Auxiliary group IDs are set up by a process group set up separately for permission checking purposes. There are various system calls and library function support processes that obtain and modify their user IDs and group IDs. When the
Set-user-id program runs, the process valid user ID is set to the user ID of the file owner. When running a particular program, this mechanism supports the user in the guise of other users ' identities and privileges. Accordingly, the SET-GROUP-ID program modifies the valid group ID of the process that is running the change program. Saving Set-user-id and Saving Set-group-id allows the Set-user-id and Set-group-id programs to temporarily waive privileges and restore privileges later. The
0 is distinguished from the user ID. Typically, only one account named Root is owned. A process with a valid user ID of 0 is a privilege level process. In other words, the various system calls initiated by the process are exempt from accepting the many permissions checks that are normally experienced.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.