{"id":468,"date":"2020-08-18T19:23:47","date_gmt":"2020-08-18T20:23:47","guid":{"rendered":"http:\/\/www.linux-tutorial.info\/?page_id=77"},"modified":"2020-08-22T19:26:01","modified_gmt":"2020-08-22T20:26:01","slug":"this-is-the-page-title-toplevel-301","status":"publish","type":"page","link":"http:\/\/www.linux-tutorial.info\/?page_id=468","title":{"rendered":"Identifiers"},"content":{"rendered":"\nIdentifiers<\/title>\n<p>\nLinux, like all Unix <sup><font size=-4><tt>T<\/tt>M<\/font><\/sup> uses user and group identifiers to check for\naccess rights to files and images in the system.\nAll of the files in a Linux system have ownerships and permissions, these\npermissions describe what access the system’s users have to that file or directory.\nBasic permissions are <em>read<\/em>, <em>write<\/em> and <em>execute<\/em> and are assigned to\nthree classes of user; the owner of the file, processes belonging to a particular\ngroup and all of the processes in the system.\nEach class of user can have different permissions, for example a file could have permissions\nwhich allow its owner to read and write it, the file’s group to read it and for all\nother processes in the system to have no access at all.\n<p>\nGroups are Linux’s way of assigning privileges to files and directories for a group\nof users rather than to a single user or to all processes in the system.\nYou might, for example, create a group for all of the users in a software project\nand arrange it so that only they could read and write the source code for the\nproject.\nA process can belong to several groups (a maximum of 32 is the default) and these\nare held in the <tt>groups<\/tt> vector in the <tt>task_struct<\/tt> for each process.\nSo long as a file has access rights for one of the groups that a\nprocess belongs to then that process will have appropriate group access rights\nto that file.\n<p>\nThere are four pairs of process and group identifiers held in a processes\n<tt>task_struct<\/tt>:\n<dl compact>\n<p>\n\t<dt><b>uid, gid<\/b><\/dt><dd> The user identifier and group identifier of the user that\n\t\tthe process is running on behalf of,\n\t<dt><b>effective uid and gid<\/b><\/dt><dd> There are some programs which change the uid\n\t\tand gid from that of the executing process into their own (held as\n\t\tattributes in the VFS inode describing the executable image). These\n\t\tprograms are known as <em>setuid<\/em> programs and they are useful because\n\t\tit is a way of restricting accesses to services, particularly those\n\t\tthat run on behalf of someone else, for example a network daemon.\n\t\tThe effective uid and gid are those from the setuid program and\n\t\tthe uid and gid remain as they were. The kernel checks the effective\n\t\tuid and gid whenever it checks for privilege rights.\n\t<dt><b>file system uid and gid<\/b><\/dt><dd> These are normally the same as the effective uid\n\t\tand gid and are used when checking file system access rights.\n\t\tThey are needed for NFS mounted filesystems where the user mode NFS server\n\t\tneeds to access files as if it were a particular process. In this case\n\t\tonly the file system uid and gid are changed (not the effective uid and\n\t\tgid). This avoids a situation where malicious users could send a\n\t\tkill signal to the NFS server.\n\t\tKill signals are delivered to processes with a particular effective uid and gid.\n\t<dt><b>saved uid and gid<\/b><\/dt><dd> These are mandated by the POSIX standard and are used by\n\t\tprograms which change the processes uid and gid via system calls.\n\t\tThey are used to save the real uid and gid during the time that the original\n\t\tuid and gid have been changed.\n<\/dl>\n<p>\n<p>\nLinux, like all Unix <sup><font size=-4><tt>T<\/tt>M<\/font><\/sup> uses user and group identifiers to check for\naccess rights to files and images in the system.\nAll of the files in a Linux system have ownerships and permissions, these\npermissions describe what access the system’s users have to that file or directory.\nBasic permissions are <em>read<\/em>, <em>write<\/em> and <em>execute<\/em> and are assigned to\nthree classes of user; the owner of the file, processes belonging to a particular\ngroup and all of the processes in the system.\nEach class of user can have different permissions, for example a file could have permissions\nwhich allow its owner to read and write it, the file’s group to read it and for all\nother processes in the system to have no access at all.\n<p>\nGroups are Linux’s way of assigning privileges to files and directories for a group\nof users rather than to a single user or to all processes in the system.\nYou might, for example, create a group for all of the users in a software project\nand arrange it so that only they could read and write the source code for the\nproject.\nA process can belong to several groups (a maximum of 32 is the default) and these\nare held in the <tt>groups<\/tt> vector in the <tt>task_struct<\/tt> for each process.\nSo long as a file has access rights for one of the groups that a\nprocess belongs to then that process will have appropriate group access rights\nto that file.\n<p>\nThere are four pairs of process and group identifiers held in a processes\n<tt>task_struct<\/tt>:\n<dl compact>\n<p>\n\t<dt><b>uid, gid<\/b><\/dt><dd> The user identifier and group identifier of the user that\n\t\tthe process is running on behalf of,\n\t<dt><b>effective uid and gid<\/b><\/dt><dd> There are some programs which change the uid\n\t\tand gid from that of the executing process into their own (held as\n\t\tattributes in the VFS inode describing the executable image). These\n\t\tprograms are known as <em>setuid<\/em> programs and they are useful because\n\t\tit is a way of restricting accesses to services, particularly those\n\t\tthat run on behalf of someone else, for example a network daemon.\n\t\tThe effective uid and gid are those from the setuid program and\n\t\tthe uid and gid remain as they were. The kernel checks the effective\n\t\tuid and gid whenever it checks for privilege rights.\n\t<dt><b>file system uid and gid<\/b><\/dt><dd> These are normally the same as the effective uid\n\t\tand gid and are used when checking file system access rights.\n\t\tThey are needed for NFS mounted filesystems where the user mode NFS server\n\t\tneeds to access files as if it were a particular process. In this case\n\t\tonly the file system uid and gid are changed (not the effective uid and\n\t\tgid). This avoids a situation where malicious users could send a\n\t\tkill signal to the NFS server.\n\t\tKill signals are delivered to processes with a particular effective uid and gid.\n\t<dt><b>saved uid and gid<\/b><\/dt><dd> These are mandated by the POSIX standard and are used by\n\t\tprograms which change the processes uid and gid via system calls.\n\t\tThey are used to save the real uid and gid during the time that the original\n\t\tuid and gid have been changed.\n<\/dl>\n<p>\n","protected":false},"excerpt":{"rendered":"<p>Identifiers Linux, like all Unix TM uses user and group identifiers to check for access rights to files and images in the system. All of the files in a Linux system have ownerships and permissions, these permissions describe what access the … <a href=\"http:\/\/www.linux-tutorial.info\/?page_id=468\">Continue reading <span class=\"meta-nav\">→<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-468","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=468"}],"version-history":[{"count":1,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/468\/revisions"}],"predecessor-version":[{"id":578,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/468\/revisions\/578"}],"wp:attachment":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}