每个UNIX进程都与三个UID关联:Real UID、Effective UID和Saved UID。Real UID是创建进程的用户ID,仅当EUID为0时才能更改。Effective UID用于评估进程执行特定操作的权限,可以更改为RUID或SUID。Saved UID用于保存Set-UID位设置的文件所有者的UID。这个机制允许如'passwd'这样的特殊程序在受限制的特权下运行,以安全地访问受保护的数据。
看过一些资料,但理解不深,很快不记得了,这篇文章讲得很透彻,先记下来。
Each UNIX proces has 3 UIDs associated to it. Superuser privilege is UID=0.
Real UID
--------
This is the UID of the user/process that created THIS process. It can be changed only if the running process has EUID=0.
Effective UID
-------------
This UID is used to evaluate privileges of the process to perform a particular action. EUID can be change either to RUID, or SUID if EUID!=0. If EUID=0, it can be changed to anything.
Saved UID
---------
If the binary image file, that was launched has a Set-UID bit on, SUID will be the UID of the owner of the file. Otherwise, SUID will be the RUID.
What is the idea behind this?
Normal programs, like "ls", "cat", "echo" will be run by a normal user, under that users UID. Special programs that allow user to have controlled access to protected data, can have Set-UID bit to allow the program to be run under privileged UID.
最低0.47元/天 解锁文章
扫一扫
388
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
