issuhub.com

Advanced Programming in the UNIX® Environment

(lily) #1 
ptg10805159

Section 8.11Changing User IDs and Group IDs 259


Example


To see the utility of the saved set-user-ID feature, let’s examine the operation of a

program that uses it. We’ll look at theat( 1 )program, which we can use to schedule

commands to be run at some time in the future.

On Linux 3.2.0, theatprogram is installed set-user-ID to userdaemon.OnFreeBSD 8.0, Mac

OS X 10.6.8, and Solaris 10, theatprogram is installed set-user-ID to userroot.This allows

theatcommand to write privileged files owned by the daemon that will run the commands

on behalf of the user running theatcommand. On Linux 3.2.0, the programs arerun by the

atd( 8 )daemon. On FreeBSD 8.0 and Solaris 10, the programs arerun by thecron(1M)

daemon. On Mac OS X 10.6.8, the programs arerun by thelaunchd( 8 )daemon.

To prevent being tricked into running commands that we aren’t allowed to run, or

reading or writing files that we aren’t allowed to access, theatcommand and the

daemon that ultimately runs the commands on our behalf have to switch between sets

of privileges: ours and those of the daemon. The following steps take place.


  1. Assuming that theatprogram file is owned byrootand has its set-user-ID bit
    set, when we run it, we have
    real user ID = our user ID (unchanged)
    effective user ID =root
    saved set-user-ID =root

  2. The first thing theatcommand does is reduce its privileges so that it runs with
    our privileges. It calls theseteuidfunction to set the effective user ID to our
    real user ID. After this, we have
    real user ID = our user ID (unchanged)
    effective user ID = our user ID
    saved set-user-ID =root(unchanged)

  3. The at program runs with our privileges until it needs to access the
    configuration files that control which commands are to be run and the time at
    which they need to run. These files areowned by the daemon that will run the
    commands for us. Theatcommand callsseteuidto set the effective user ID
    toroot.This call is allowed because the argument toseteuidequals the
    saved set-user-ID. (This is why we need the saved set-user-ID.) After this, we
    have
    real user ID = our user ID (unchanged)
    effective user ID =root
    saved set-user-ID =root(unchanged)
    Because the effective user ID isroot,file access is allowed.

  4. After the files aremodified to recordthe commands to be run and the time at
    which they are to be run, theatcommand lowers its privileges by calling

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.