The Linux Programming Interface 09 Process Credentials 进程凭证

The Linux Programming Interface

Process Credentials

（1） 有那些凭证

1. real user ID and group ID

2. effective user ID and group ID

3. saved set-user-ID and saved set-group-ID

4. file-system user ID and group ID (Linux specific); and

5. supplementary group IDs.

(02)总的来说，这些个权限相关的没怎么看懂，real user ID可以通过getpid() 函数得到，其余的大概是因为如果我不能访问这个process的话，我可以通过相应的函数修改得到，以下是这些函数。

（03）对这个用法的举例，实际需要的时候再看研究这些函数。

#define _GNU_SOURCE
#include <unistd.h>
#include <sys/fsuid.h>
#include <limits.h>
/* userNameFromId() & groupNmaeFromId() */
#include "ugid_functions.h"
#include "tlpi_hdr.h"

#define SG_SIZE (NGROUPS_MAX + 1)

int main(int argc, char *argv[]) {
	/* fsuid file system */
	uid_t ruid, euid, suid, fsuid;
	gid_t rgid, egid, sgid, fsgid;
	gid_t suppGroups[SG_SIZE];
	int numGroups, j;
	char *p;

	if (getresuid(&ruid, &euid, &suid) == -1)
		errExit("getresuid");
	if (getresgid(&rgid, &egid, &sgid) == -1)
		errExit("getresgid");

	/* Attempts to change the file-system IDs are always ignored
	   for unprivileged processes, but even so, the following calls
	   return the current file-system IDs */
	
	fsuid = setfsuid(0);
	fsgid = setfsgid(0);

	printf("UID: ");
	p = userNameFromId(ruid);
	printf("real = %s (%ld); ", (p == NULL) ? "???" : p, (long) ruid);
	p = userNameFromId(euid);
	printf("eff = %s (%ld); ", (p == NULL) ? "???" : p, (long) euid);
	p = userNameFromId(suid);
	printf("saved = %s (%ld); ", (p == NULL) ? "???" : p, (long) suid);
	p = userNameFromId(fsuid);
	printf("fs = %s (%ld); ", (p == NULL) ? "???" : p, (long) fsuid);

	numGroups = getgroups(SG_SIZE, suppGroups);
	if (numGroups == -1)
		errExit("getGroups");
	
	printf("Supplementary groups (%d): ", numGroups);
	for (j = 0; j < numGroups; j++) {
		p = groupNameFromId(suppGroups[j]);
		printf("%s (%ld) ", (p = NULL) ? "???" : p, (long) suppGroups[j]);
	}
	printf("\n");
	exit(EXIT_SUCCESS);
}

输出：
wang@wang:~/test/tlpi-dist/lib$ gcc idshow.c error_functions.c ugid_functions.c -o idshow
wang@wang:~/test/tlpi-dist/lib$ ./idshow
UID: real = wang (1000); eff = wang (1000); saved = wang (1000); fs = wang (1000); Supplementary groups (8): (null) (4) (null) (24) (null) (27) (null) (30) (null) (46) (null) (108) (null) (124) (null) (1000)

(04)总结

Each process has a number of associated user and group IDs (credentials). The real IDs define the ownership of the process. On most UNIX implementations, the effective IDs are used to determine a process's permissions when accessing resources such as files. On Linux, however, the file-system IDs are used tor determining permissions for accessing files, while the effective IDs are used for other permission checks. (Because the file-system IDs normally have the same values as the corresponding effective IDs, Linux behaves in the same way as other UNIX implementations when checking file permissions.) A process's supplementary group IDs are a further set of group of which the process is considered to be a member for the purpose of permission checking. Various system calls and library functions allow a process to retrieve and change its user and group IDs.

    When a set-user-ID program is run, the effective user ID of the process is set to that of the owner of the file. This mechanism allows a user to assume the identity, and thus the privileges, of another user while running a particular program. Correspondingly, set-group-ID programs change the effective group ID of the process running a program. The saved-user-ID and saved-group-ID allow set-user-ID and set-group-ID programs to temporarily drop and then later reassume privileges.

    The user ID 0 is special. Normally, a single user account, named root, has this user ID. Process with an effective user ID of 0 are privileged- that is, they are exempt from many of the permission checks normally performed when a process makes various system calls (such as those used to arbitrary change the various process user and group IDs).

(05) 习题