本文详细介绍了Linux系统中setuid和setgid函数的作用及使用方法。这些函数用于改变进程的有效用户ID和组ID,支持程序在不同权限级别间安全切换。文章还解释了在不同情况下如何正确使用这些函数。
setgid - set group identity
setgid - 设置组id
所需头文件
#include <sys/types.h>
#include <unistd.h>
int setgid(gid_t gid);
setgid() sets the effective group ID of the calling process. If the caller is the superuser, the real GID and saved set-group-ID are also set.
setgid设置调用进程的有效组id,如果调用者是超级用户,真实的gid和设置组id同样被设置
Under Linux, setgid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. This allows a set-group-ID program that is not setuser-ID-root to drop all of its group privileges, do some un-privileged work, and then reengage the original effective group ID in a secure manner.
在linux系统中,setgid被实现的跟_POSIX_SAVED_IDS特性的POSIX版本一样,这允许一个不是设置超级用户的设置组id程序拥有其所有的组特权,做一些本来没有权限的事情,然后用安全的行为重新联系原始有效组id
On success, zero is returned. On error, -1 is returned, and errno is set appropriately.
成功的时候返回0,失败的时候返回-1,errno被设置成适当的值
EPERM The calling process is not privileged (does not have the CAP_SETGID capability), and gid does not match the real group ID or saved set-group-ID of the calling process.
EPERM 调用进程没有权限,gid跟调用进程的真实的组id或者设置组id不匹配
The original Linux setgid() system call supported only 16-bit group IDs. Subsequently, Linux 2.4 added setgid32() supporting 32-bit IDs. The glibc setgid() wrapper function transparently deals with the variation across kernel versions.
原始的linux setgid系统调用仅仅支持16字节的组id,后来linux2.4增加的setgid32来支持32字节的id,glibc的setgid封装函数透明的跟随kernel版本
setuid - set user identity
setuid - 设置用户id
所需头文件
#include <sys/types.h>
#include <unistd.h>
int setuid(uid_t uid);
setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root, the real UID and saved set-user-ID are also set.
setuid设置调用进程的有效用户id,如果调用者的有效的用户id是root,真实的用户id和保存的设置用户id都将被设置
Under Linux, setuid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. This allows a set-user-ID (other than root) program to drop all of its user privileges, do some un-privileged work, and then reengage the original effective user ID in a secure manner.
在linux系统中,setuid被实现的跟_POSIX_SAVED_IDS特性的POSIX版本一样,这允许一个设置用户id(不是root)程序使用所有的用户特权,做一些本来没有权限的事情,然后用安全的行为来重新联系原始的有组用户id
If the user is root or the program is set-user-ID-root, special care must be taken. The setuid() function checks the effective user ID of the caller and if it is the superuser, all process-related user ID's are set to uid. After this has occurred, it is impossible for the program to regain root privileges.
如果用户是root,或者程序是root设置用户id,会有一些特殊的照顾,setuid函数检查调用者的有效用户id,如果是超级用户,所有相关进程的用户id都被设置成uid,如果真这样,就可能使用户回复root权限
Thus, a set-user-ID-root program wishing to temporarily drop root privileges, assume the identity of an unprivileged user, and then regain root privileges afterward cannot use setuid(). You can accomplish this with seteuid(2).
这样,一个root设置用户id程序可能失去root权限,假设一个非特权用户的id,然后因为不能使用setuid而回复特权,你可以使用seteuid来完成
On success, zero is returned. On error, -1 is returned, and errno is set appropriately.
成功的时候返回0,失败的时候返回-1,errno被设置成适当值
EAGAIN The uid does not match the current uid and uid brings process over its RLIMIT_NPROC resource limit.
EPERM The user is not privileged (Linux: does not have the CAP_SETUID capability) and uid does not match the real UID or saved set-user-ID of the calling process.
EAGAIN uid跟当前uid不匹配,uid会受限制与进程的RLIMIT_NPROC
EPERM 用户没有权限,uid跟调用进程的真实uid或者保存设置的用户id不匹配
Linux has the concept of the file system user ID, normally equal to the effective user ID. The setuid() call also sets the file system user ID of the calling process. See setfsuid(2).
linux有文件系统用户id的概念,一般来说等同于有效用户id,setuid调用同样设置调用进程的文件系统的用户id,详见setfsuid
If uid is different from the old effective UID, the process will be forbidden from leaving core dumps.
如果uid跟旧的有效id不相同,进程会coredump来禁止
The original Linux setuid() system call supported only 16-bit user IDs. Subsequently, Linux 2.4 added setuid32() supporting 32-bit IDs. The glibc setuid() wrapper function transparently deals with the variation across kernel versions.
原始的setuid系统调用仅仅支持16字节的用户id,后来linux2.4增加的setuid32来支持32字节的id,glibc封装函数跟kernel实现相同
setgid - 设置组id
所需头文件
#include <sys/types.h>
#include <unistd.h>
int setgid(gid_t gid);
setgid() sets the effective group ID of the calling process. If the caller is the superuser, the real GID and saved set-group-ID are also set.
setgid设置调用进程的有效组id,如果调用者是超级用户,真实的gid和设置组id同样被设置
Under Linux, setgid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. This allows a set-group-ID program that is not setuser-ID-root to drop all of its group privileges, do some un-privileged work, and then reengage the original effective group ID in a secure manner.
在linux系统中,setgid被实现的跟_POSIX_SAVED_IDS特性的POSIX版本一样,这允许一个不是设置超级用户的设置组id程序拥有其所有的组特权,做一些本来没有权限的事情,然后用安全的行为重新联系原始有效组id
On success, zero is returned. On error, -1 is returned, and errno is set appropriately.
成功的时候返回0,失败的时候返回-1,errno被设置成适当的值
EPERM The calling process is not privileged (does not have the CAP_SETGID capability), and gid does not match the real group ID or saved set-group-ID of the calling process.
EPERM 调用进程没有权限,gid跟调用进程的真实的组id或者设置组id不匹配
The original Linux setgid() system call supported only 16-bit group IDs. Subsequently, Linux 2.4 added setgid32() supporting 32-bit IDs. The glibc setgid() wrapper function transparently deals with the variation across kernel versions.
原始的linux setgid系统调用仅仅支持16字节的组id,后来linux2.4增加的setgid32来支持32字节的id,glibc的setgid封装函数透明的跟随kernel版本
setuid - set user identity
setuid - 设置用户id
所需头文件
#include <sys/types.h>
#include <unistd.h>
int setuid(uid_t uid);
setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root, the real UID and saved set-user-ID are also set.
setuid设置调用进程的有效用户id,如果调用者的有效的用户id是root,真实的用户id和保存的设置用户id都将被设置
Under Linux, setuid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. This allows a set-user-ID (other than root) program to drop all of its user privileges, do some un-privileged work, and then reengage the original effective user ID in a secure manner.
在linux系统中,setuid被实现的跟_POSIX_SAVED_IDS特性的POSIX版本一样,这允许一个设置用户id(不是root)程序使用所有的用户特权,做一些本来没有权限的事情,然后用安全的行为来重新联系原始的有组用户id
If the user is root or the program is set-user-ID-root, special care must be taken. The setuid() function checks the effective user ID of the caller and if it is the superuser, all process-related user ID's are set to uid. After this has occurred, it is impossible for the program to regain root privileges.
如果用户是root,或者程序是root设置用户id,会有一些特殊的照顾,setuid函数检查调用者的有效用户id,如果是超级用户,所有相关进程的用户id都被设置成uid,如果真这样,就可能使用户回复root权限
Thus, a set-user-ID-root program wishing to temporarily drop root privileges, assume the identity of an unprivileged user, and then regain root privileges afterward cannot use setuid(). You can accomplish this with seteuid(2).
这样,一个root设置用户id程序可能失去root权限,假设一个非特权用户的id,然后因为不能使用setuid而回复特权,你可以使用seteuid来完成
On success, zero is returned. On error, -1 is returned, and errno is set appropriately.
成功的时候返回0,失败的时候返回-1,errno被设置成适当值
EAGAIN The uid does not match the current uid and uid brings process over its RLIMIT_NPROC resource limit.
EPERM The user is not privileged (Linux: does not have the CAP_SETUID capability) and uid does not match the real UID or saved set-user-ID of the calling process.
EAGAIN uid跟当前uid不匹配,uid会受限制与进程的RLIMIT_NPROC
EPERM 用户没有权限,uid跟调用进程的真实uid或者保存设置的用户id不匹配
Linux has the concept of the file system user ID, normally equal to the effective user ID. The setuid() call also sets the file system user ID of the calling process. See setfsuid(2).
linux有文件系统用户id的概念,一般来说等同于有效用户id,setuid调用同样设置调用进程的文件系统的用户id,详见setfsuid
If uid is different from the old effective UID, the process will be forbidden from leaving core dumps.
如果uid跟旧的有效id不相同,进程会coredump来禁止
The original Linux setuid() system call supported only 16-bit user IDs. Subsequently, Linux 2.4 added setuid32() supporting 32-bit IDs. The glibc setuid() wrapper function transparently deals with the variation across kernel versions.
原始的setuid系统调用仅仅支持16字节的用户id,后来linux2.4增加的setuid32来支持32字节的id,glibc封装函数跟kernel实现相同
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
