The Linux Programming Interface
Process Credentials
(1) 有那些凭证
1. real user ID and group ID
2. effective user ID and group ID
3. saved set-user-ID and saved set-group-ID
4. file-system user ID and group ID (Linux specific); and
5. supplementary group IDs.
(02)总的来说,这些个权限相关的没怎么看懂,real user ID可以通过getpid() 函数得到,其余的大概是因为如果我不能访问这个process的话,我可以通过相应的函数修改得到,以下是这些函数。
(03)对这个用法的举例,实际需要的时候再看研究这些函数。
#define _GNU_SOURCE #include <unistd.h> #include <sys/fsuid.h> #include <limits.h> /* userNameFromId() & groupNmaeFromId() */ #include "ugid_functions.h" #include "tlpi_hdr.h" #define SG_SIZE (NGROUPS_MAX + 1) int main(int argc, char *argv[]) { /* fsuid file system */ uid_t ruid, euid, suid, fsuid; gid_t rgid, egid, sgid, fsgid; gid_t suppGroups[SG_SIZE]; int numGroups, j; char *p; if (getresuid(&ruid, &euid, &suid) == -1) errExit("getresuid"); if (getresgid(&rgid, &egid, &sgid) == -1) errExit("getresgid"); /* Attempts to change the file-system IDs are always ignored for unprivileged processes, but even so, the following calls return the current file-system IDs */ fsuid = setfsuid(0); fsgid = setfsgid(0); printf("UID: "); p = userNameFromId(ruid); printf("real = %s (%ld); ", (p == NULL) ? "???" : p, (long) ruid); p = userNameFromId(euid); printf("eff = %s (%ld); ", (p == NULL) ? "???" : p, (long) euid); p = userNameFromId(suid); printf("saved = %s (%ld); ", (p == NULL) ? "???" : p, (long) suid); p = userNameFromId(fsuid); printf("fs = %s (%ld); ", (p == NULL) ? "???" : p, (long) fsuid); numGroups = getgroups(SG_SIZE, suppGroups); if (numGroups == -1) errExit("getGroups"); printf("Supplementary groups (%d): ", numGroups); for (j = 0; j < numGroups; j++) { p = groupNameFromId(suppGroups[j]); printf("%s (%ld) ", (p = NULL) ? "???" : p, (long) suppGroups[j]); } printf("\n"); exit(EXIT_SUCCESS); }输出: wang@wang:~/test/tlpi-dist/lib$ gcc idshow.c error_functions.c ugid_functions.c -o idshow wang@wang:~/test/tlpi-dist/lib$ ./idshow UID: real = wang (1000); eff = wang (1000); saved = wang (1000); fs = wang (1000); Supplementary groups (8): (null) (4) (null) (24) (null) (27) (null) (30) (null) (46) (null) (108) (null) (124) (null) (1000)(04)总结
Each process has a number of associated user and group IDs (credentials). The real IDs define the ownership of the process. On most UNIX implementations, the effective IDs are used to determine a process's permissions when accessing resources such as files. On Linux, however, the file-system IDs are used tor determining permissions for accessing files, while the effective IDs are used for other permission checks. (Because the file-system IDs normally have the same values as the corresponding effective IDs, Linux behaves in the same way as other UNIX implementations when checking file permissions.) A process's supplementary group IDs are a further set of group of which the process is considered to be a member for the purpose of permission checking. Various system calls and library functions allow a process to retrieve and change its user and group IDs.
When a set-user-ID program is run, the effective user ID of the process is set to that of the owner of the file. This mechanism allows a user to assume the identity, and thus the privileges, of another user while running a particular program. Correspondingly, set-group-ID programs change the effective group ID of the process running a program. The saved-user-ID and saved-group-ID allow set-user-ID and set-group-ID programs to temporarily drop and then later reassume privileges.
The user ID 0 is special. Normally, a single user account, named root, has this user ID. Process with an effective user ID of 0 are privileged- that is, they are exempt from many of the permission checks normally performed when a process makes various system calls (such as those used to arbitrary change the various process user and group IDs).
(05) 习题
