Chapter 9, Process Credentials
- Each process has three (or four) credentials.
- The real user id
- The effective user id
- The saved user id.
- (Linux) File System user id, mostly ignored
- There are corresponding group ids as well.
- The real userid
- Set by the login shell from the fields of the password file.
- Unless action is taken, it is inherited from the parent.
- This is more of a record of "who I am"
- The effective userid
- The real id unless the setuid bit is set.
- Then this is the id of the user of the setuid.
- This ID is used to check most permissions.
- The saved userid
-
- Initially this matches the effective user id.
- When changing privilege levels, this is used to determine if you can revert back.
Some calls
- uid_t getuid(void);
- uid_t geteuid(void);
- int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid);
- int setuid(uid_t uid);
- int setresuid(uid_t ruid, uid_t euid, uid_t suid);
I can always to the real, effective or saved user id.
But without privilege (uid 0) I can not step outside of this group.
An example program.
- The setup
- myid
- myid.C reports the different ID values.
- It is owned by dbennett
- It is execute only by dbennett
- restrictedFile
- Is owned by dbennett
- It is readable only by dbennett.
- userSwitch is setuid dbennett, but make sure of this.
- userSwitch
- This program changes/attempts to change privilege level multiple times .
- Each time it:
- Prints current ids
- Attempts to open the file
- Attempts to run myid