23 O.S. Security: Setting/Getting User/Group Privileges

1 O.S. Security Basics for Users and Groups

1.1 Users and Groups

1./etc/passwd

.-- user name         .-- full name   .--- home directory  
|                     |               |
v                     v               v
aviv:x:35001:10120:Adam Aviv {}:/home/scs/aviv:/bin/bash
        ^     ^                                   ^
uid ----'     '--- gid (Default)                  '--- default shell

2./etc/group,一个用户可以有多个分组

.-- group name
|            
v            
scs:*:10120:webadmin,www-data,lucas,slack
       ^    \___________________________/
gid ---'                |
                        '- Additional users in that group

1.2 Permissions

1.通过ls -l查看权限

user   other       .- group
  |     |          |
 .-.   .-.         v
-rwxr--r-- 1 aviv scs    0 Mar 27 09:41 a
^   '-'       ^
|    |        '-- user/owner
|   group
|
'- Directory Bit

命令	描述
chmod	change the permissions string of the file which can only be done by the owner of the file (or super user).
chgrp	change the group of the file which can only be done by the owner of the file (or super user)
chown	change the owner of the file which can only be done by the super user.

1.3 Terminal Login and Password Checking

 runs as root                      
.......................................
:  .-------.                          :
:  | getty |                          :
:  '-------'                          :
:      |                              : 
:    exec() <-------.                 :
:      |            |                 :
: (1)  v            | (failed)        :
:  .--------.       |     ............:
:  | login  | ------'     :    
:  '--------'             :                    runs as the user
:      | (success)        :   ..................................
:      |      ............:   :                                :
:      |      :   ............: .-------. (3)                  :
:     fork() -:---:- exec() --> | shell |                      :
:.............: ^ :             '-------'                      :
 (2)            | :                  |                  .----. :
  changes ______| :               fork() --- exec() --> | ls | :
    user          :                                     '----' :
                  :............................................:

2 Users/Group Capabilities of Programs

2.1 Observing the privilege settings of programs

1. uid_t getuid(void):Returns the real user id of the calling process.
2. gid_t getgid(void):Returns the real group id of the calling process

/*get_uidgid.c*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char * argv[]){

  uid_t uid;
  gid_t gid;

  uid = getuid();

  gid = getgid();

  printf("uid=%d gid=%d\n", uid, gid);

}

2.2 Extra permission modes for set-user-id/set-group-id

chmod 6751 get_uidgid

set      group
bits user |  other
  |   |   |   |
  V   V   V   V
 110 111 101 001
  6   7   5   1

-rwsr-s--x

2.3 Real vs. Effective Capabilities

1. real user id (or group id) : the identifier of the actual user who executed a program
2. effective user id (or group id) : the idenifier for the capabilities or permissions settings of an executing program.
3. uid_t geteuid(void) : return the effective user identifier for the calling process
4. gid_t getegid(void) : return the effective group identifer for the calling process

/*get_euidegid.c*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char * argv[]){

  uid_t uid,euid;
  gid_t gid,egid;

  uid = getuid();
  gid = getgid();
  printf(" uid=%d  gid=%d\n",  uid,  gid);

  euid = geteuid();
  egid = getegid();
  printf("euid=%d egid=%d\n", euid, egid);
}

2.4 Programmatically Downgrading/Upgrading Capabilities

1. setuid(uid_t uid) : change the effective user id of a process to uid
2. setgid(gid_t gid) : change the effective group id of a proces to gid

3 sudo and su

3.1 sudoers

/etc/sudoers

参考:
https://blog.csdn.net/shaobingj126/article/details/7031221
https://www.usna.edu/Users/cs/aviv/classes/ic221/s16/lec/23/lec.html#coderef-bad_ref