UID详解
Linux中的UID、GID、PID
UID
user identifier,用户ID,Linux系统通过UID区分不同用户。
Linux系统中用户(user)分为3类:
+ 普通用户:使用Linux系统的普通真实用户。普通用户能登陆系统,但权限有限,只能在其Home目录(用户目录)、系统临时目录或其他经过授权的目录中操作。UID为500~6000(系统默认普通用户ID从500开始编号)。
+ 系统用户:系统运行时必须有的用户,但并不是真实用户(虚拟用户),不具有登陆系统的能力。UID为1~499.
+ **根用户:**root用户(系统唯一,是真实的,可以登录系统)。root用户拥有最高权限:可以操作任何文件,运行任何命令。UID值为0。
GID
group identifier,组ID,Linux系统通过GID区分不同用户组。
Linux是多用户操作系统。每个用户都至少属于一个组。
用户组(group):就是具有相同特征的用户(user)的集合体。
例如,有时我们要让多个用户具有相同的权限(操作某一文件或执行某个命令),这时就可以把用户都定义到同一用户组。我们通过修改文件或目录的权限,让用户组具有一定的操作权限,这样用户组下的用户对该文件或目录就具有了相同的权限。
用户和用户组的对应关系:
+ 一对一:某个用户可以是某个组的唯一成员
+ 多对一:多个用户可以是同一个组队成员,且不归属其他组
+ 一对多:某个用户可以是多个用户组的成员。
+ 多对多:多个用户对应多个用户组。
PID
process identifier,进程ID,Linux系统通过PID区分不同进程
In computing, the process identifier (normally referred to as the process ID or just PID) is a number to uniquely identify an active process. This number may be used as a parameter in various function calls, allowing processes to be manipulated, such as adjusting the process’s priority or killing it altogether.
程序一运行,系统就会自动分配给进程一个独一无二的PID,进程中止后PID会被系统回收。
Android中的UID、GID、PID
UID
- Android系统和Linux系统不同:
- Linux是多用户操作系统,每个用户都具有一个UID(标识用户身份)。
- Android是单用户操作系统中,每个App都有一个UID(标识应用身份)。
- Android中, 应用程序在安装时被分配UID,应用程序在设备上的存续期间内,UID保持不变。
GID
- 一般应用的GID和UID相同
PID
- 在Android系统中一般不会把已经kill掉的PID重新分配给新的进程,新产生进程的PID一般比之前所有进程的PID都要大。
- 一个应用只能有一个 UID,但是一个应用中可以有多个进程(PID)。
进程UID分类
Linux中每个进程都拥有:
+ ruid & rgid : 运行进程的真实用户ID、组ID(real user ID),表示的是实际上进程的执行者
+ euid & egid : 有效用户ID、组ID
+ suid & sgid : 保存的用户ID、组ID (注意区分Set User ID (suid))
+ fsuid & fsgid : 用于文件系统访问检查的用户ID、组ID
Real user ID
The real UID (ruid) and real GID (rgid) identify the real owner of the process and affect the permissions for sending signals.
A process without superuser privilege can signal another process only if the sender’s real or effective UID matches the real or saved UID of the receiver. Since child processes inherit the credentials from the parent, they can signal each other.
Effective user ID
The effective UID (euid) of a process is used for most access checks. It is also used as the owner for files created by that process.
The effective GID (egid) of a process also affects access control and may also affect file creation, depending on the semantics of the specific kernel implementation in use and possibly the mount options used.
euid,主要用于校验该进程在执行时所获得的文件访问权限,也就是说当前进程访问文件时检查权限时实际上检查的是该进程的euid。
一般情况下,进程的euid 就是 ruid,但是当要运行的文件设置了setuid 位之后,就会把执行该文件的进程的 euid 临时转变成该文件所有者 UID ,同时进程的suid 变成了此时进程的 euid (即所有者UID)。进程在执行一些与文件访问权限相关的操作时,系统检查的是进程的 euid (即所有者UID) 。
Saved user ID
The saved user ID (suid) is used when a program running with elevated privileges needs to temporarily do some unprivileged work: it changes its effective user ID from a privileged value (typically root) to some unprivileged one, and this triggers a copy of the privileged user ID to the saved user ID slot.
Later, it can set its effective user ID back to the saved user ID to resume its privileges.
suid仅在euid发生改变时保存。
Saved user ID & Set user ID
saved user ID 其实就是 saved set-user-ID,saved user ID 保存的就是进行 set-user-ID 操作之后的值。
Saved user ID 的作用
为什么需要suid?因为当进程没有root权限时,进程在设置euid时会将需要设置的uid和该进程的ruid和suid进行比较。
APUE2 中的解释:
1) If the process has superuser privileges, the setuid function sets the real user ID, effective user ID, and saved set-user-ID to uid.
2) If the process does not have superuser privileges, but uid equals either the real user ID or the saved set-user-ID, setuid sets only the effective user ID to uid. The real user ID and the saved set-user-ID are not changed.
3) If neither of these two conditions is true, errno is set to EPERM, and 1 is returned
也就是说:
1) 当用户具有超级用户权限的时候,setuid 函数设置的id对三者都起效.
2) 否则,仅当该uid为real user ID 或者saved set-user-ID时,setuid 操作只会把 euid 设置为 uid,而 ruid 和 suid(saved set-user-ID) 不会发生改变。
3) 否则,setuid函数调用失败.
也就是说,这个saved set-user-ID更多的作用是在进程切换自己的effective user ID起作用.
APUE2 中的提醒:
Note that we can obtain only the current value of the real user ID and the effective user ID with the functions getuid and
geteuid from Section 8.2. We can’t obtain the current value of the saved set-user-ID.
需要特别提醒的是:并没有任何的API可以获取到进程的saved set-user-ID,它仅仅是系统在调用setuid函数时进行比较而起作用的.
File system user ID
Linux also has a file system user ID (fsuid) which is used explicitly for access control to the file system. It matches the euid unless explicitly set otherwise. Whenever the euid is changed, the change is propagated to the fsuid.
The intent of fsuid is to permit programs(such as the NFS server) to limit themselves to the file system rights of some given uid without giving that uid permission to send them signals. Since kernel 2.0, the existence of fsuid is no longer necessary because Linux adheres to SUSv3 rules for sending signals, but fsuid remains for compatibility reasons.
590
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
