ptg10805159256 Process Control Chapter 8
In general, we try to use theleast-privilegemodel when we design our applications.
According to this model, our programs should use the least privilege necessary to
accomplish any given task. This reduces the risk that security might be compromised
by a malicious user trying to trick our programs into using their privileges in
unintended ways.
We can set the real user ID and effective user ID with the setuidfunction.
Similarly, we can set the real group ID and the effective group ID with thesetgid
function.#include <unistd.h>
int setuid(uid_tuid);
int setgid(gid_tgid);
Both return: 0 if OK,−1 on errorThereare rules for who can change the IDs. Let’s consider only the user ID for now.
(Everything we describe for the user ID also applies to the group ID.)- If the process has superuser privileges, thesetuidfunction sets the real user
ID, effective user ID, and saved set-user-ID touid. - If the process does not have superuser privileges, butuidequals either the real
user ID or the saved set-user-ID,setuidsets only the effective user ID touid.
The real user ID and the saved set-user-ID arenot changed. - If neither of these two conditions is true,errnois set toEPERMand−1is
returned.
Here, we areassuming that_POSIX_SAVED_IDSis true. If this featureisn’t provided,
then delete all preceding references to the saved set-user-ID.The saved IDs areamandatory feature in the 2001 version of POSIX.1. They wereoptional in
older versions of POSIX. To see whether an implementation supports this feature, an
application can test for the constant_POSIX_SAVED_IDSat compile time or callsysconf
with the_SC_SAVED_IDSargument at runtime.We can make a few statements about the three user IDs that the kernel maintains.- Onlyasuperuser process can change the real user ID. Normally,the real user
ID is set by thelogin( 1 )program when we log in and never changes. Because
loginis a superuser process, it sets all three user IDs when it callssetuid. - The effective user ID is set by theexecfunctions only if the set-user-ID bit is set
for the program file. If the set-user-ID bit is not set, theexecfunctions leave the
effective user ID as its current value.We can callsetuidat any time to set the
effective user ID to either the real user ID or the saved set-user-ID. Naturally,
we can’t set the effective user ID to any random value. - The saved set-user-ID is copied from the effective user ID byexec.Ifthe file’s
set-user-ID bit is set, this copy is saved afterexecstores the effective user ID
from the file’s user ID.