本文详细介绍了setfsuid系统调用的功能及其使用场景,该调用主要用于为文件系统设置用户ID,允许特定服务如NFS服务器在不改变真实或有效用户ID的情况下更改文件访问的用户ID。
setfsuid - set user identity used for file system checks
setfsuid - 为文件系统设置用户id
所需头文件
#include <unistd.h> /* glibc uses <sys/fsuid.h> */
int setfsuid(uid_t fsuid);
The system call setfsuid() sets the user ID that the Linux kernel uses to check for all accesses to the file system. Normally, the value of fsuid will shadow the value of the effective user ID. In fact, whenever the effective user ID is changed, fsuid will also be changed to the new value of the effective user ID.
系统调用setfsuid设置用户id,linux kernel检查文件系统的所有可能,一般来说,fsuid的值可能会预示有效用户id的值,实际上来说,不管用户有效id什么时候改变,fsuid都会跟随新的用户有效id的值
Explicit calls to setfsuid() and setfsgid(2) are usually only used by programs such as the Linux NFS server that need to change what user and group ID is used for file access without a corresponding change in the real and effective user and group IDs. A change in the normal user IDs for a program such as the NFS server is a security hole that can expose it to unwanted signals. (But see below.)
一般来说只有linux NFS server之类的服务需要显式的调用setfsuid和setfsgid等函数来改变用户和组id,用于没有相应的实际和有效的用户和组id文件权限,普通用户id的改变,对于类似NFS服务来说是一个安全漏洞,会把它暴露在不需要的信号下。
setfsuid() will only succeed if the caller is the superuser or if fsuid matches either the real user ID, effective user ID, saved set-user-ID, or the current value of fsuid.
setfsuid将仅仅在调用者是超级用户,或者fsuid跟实际用户id,有效用户id,保存设置用户id或者当前fsuid相匹配的情况下才会成功
On success, the previous value of fsuid is returned. On error, the current value of fsuid is returned.
在成功的时候,返回前一个fsuid的值,错误的话,返回当前fsuid的值
This system call is present in Linux since version 1.2.
这个系统调用在linux1.2之后才被实现
When glibc determines that the argument is not a valid user ID, it will return -1 and set errno to EINVAL without attempting the system call.
当glibc发现参数不是一个有效的用户id的时候会返回-1,将会直接返回EINVAL,而不会去尝试系统调用
Note that at the time this system call was introduced, a process could send a signal to a process with the same effective user ID. Today signal permission handling is slightly different.
记住这个系统调用介绍的时间,一个进程可以发送一个信号给另一个拥有相同有效用户id的进程,现在信号权限处理有稍微有一些不同
The original Linux setfsuid() system call supported only 16-bit user IDs. Subsequently, Linux 2.4 added setfsuid32() supporting 32-bit IDs. The glibc setfsuid() wrapper function transparently deals with the variation across kernel versions.
原始的linux setfsuid系统调用仅仅支持16字节的用户id,后来linux增加的setfsuid32来支持32字节的id,glibc的setfsuid封装函数透明的跟随kernel版本
No error messages of any kind are returned to the caller. At the very least, EPERM should be returned when the call fails (because the caller lacks the CAP_SETUID capability).
没有任何错误信息返回给调用者,知道最近,当调用失败后会返回EPERM
setfsuid - 为文件系统设置用户id
所需头文件
#include <unistd.h> /* glibc uses <sys/fsuid.h> */
int setfsuid(uid_t fsuid);
The system call setfsuid() sets the user ID that the Linux kernel uses to check for all accesses to the file system. Normally, the value of fsuid will shadow the value of the effective user ID. In fact, whenever the effective user ID is changed, fsuid will also be changed to the new value of the effective user ID.
系统调用setfsuid设置用户id,linux kernel检查文件系统的所有可能,一般来说,fsuid的值可能会预示有效用户id的值,实际上来说,不管用户有效id什么时候改变,fsuid都会跟随新的用户有效id的值
Explicit calls to setfsuid() and setfsgid(2) are usually only used by programs such as the Linux NFS server that need to change what user and group ID is used for file access without a corresponding change in the real and effective user and group IDs. A change in the normal user IDs for a program such as the NFS server is a security hole that can expose it to unwanted signals. (But see below.)
一般来说只有linux NFS server之类的服务需要显式的调用setfsuid和setfsgid等函数来改变用户和组id,用于没有相应的实际和有效的用户和组id文件权限,普通用户id的改变,对于类似NFS服务来说是一个安全漏洞,会把它暴露在不需要的信号下。
setfsuid() will only succeed if the caller is the superuser or if fsuid matches either the real user ID, effective user ID, saved set-user-ID, or the current value of fsuid.
setfsuid将仅仅在调用者是超级用户,或者fsuid跟实际用户id,有效用户id,保存设置用户id或者当前fsuid相匹配的情况下才会成功
On success, the previous value of fsuid is returned. On error, the current value of fsuid is returned.
在成功的时候,返回前一个fsuid的值,错误的话,返回当前fsuid的值
This system call is present in Linux since version 1.2.
这个系统调用在linux1.2之后才被实现
When glibc determines that the argument is not a valid user ID, it will return -1 and set errno to EINVAL without attempting the system call.
当glibc发现参数不是一个有效的用户id的时候会返回-1,将会直接返回EINVAL,而不会去尝试系统调用
Note that at the time this system call was introduced, a process could send a signal to a process with the same effective user ID. Today signal permission handling is slightly different.
记住这个系统调用介绍的时间,一个进程可以发送一个信号给另一个拥有相同有效用户id的进程,现在信号权限处理有稍微有一些不同
The original Linux setfsuid() system call supported only 16-bit user IDs. Subsequently, Linux 2.4 added setfsuid32() supporting 32-bit IDs. The glibc setfsuid() wrapper function transparently deals with the variation across kernel versions.
原始的linux setfsuid系统调用仅仅支持16字节的用户id,后来linux增加的setfsuid32来支持32字节的id,glibc的setfsuid封装函数透明的跟随kernel版本
No error messages of any kind are returned to the caller. At the very least, EPERM should be returned when the call fails (because the caller lacks the CAP_SETUID capability).
没有任何错误信息返回给调用者,知道最近,当调用失败后会返回EPERM
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
