prepozicanie prav

Jan Rusnak j000 na cyberspace.sk
Čtvrtek Červen 30 09:35:12 CEST 2005 

Tomas Ferster wrote:
> Chcel by som sa spitat ako vlastne funguje prepozicanie prav vlastnika a grupy. Skusam to uz hodnu chvylu a stale nie a nie sa k niecomu dopracovat. Testujem to takto mam maly skrypt ktoreho vlastnikom je root ale spustat ho moze ktokolvek a ma zapnute "chmod ug+s test" prepozicanie. tento skript ma za ulohu vypisat obsah suboru ku ktoremu ma pravo iba root. Ak som prihlaseny ako root to samozrejme funguje ale ked sa prihlasim ako bezny uzivatel tak odmietne subor vypisat lebo ze nemam pristup. Neviem ci som zle pochopil co vlastne ma prepozicanie prav zabezpecit ale ocakaval som ze ked ten skript spustim ako bezny uzivatel tak skrypt vdaka prepozicaniu prav vlastnika bude mat pravo vypisat subor ku ktoremu ako uzivatel pristup nem. 
> Dakeujem.
Each process has three user IDs: the real user ID (real
uid, or ruid), the effective user ID (effective uid, or
euid), and the saved user ID (saved uid, or suid). The
real uid identifies the owner of the process, the effective
uid is used in most access control decisions, and the saved
uid stores a previous user ID so that it can be restored
later. Similarly, a process has three group IDs: the
real group ID, the effective group ID, and the saved group
ID. In most cases, the properties of the group IDs parallel
the properties of their user ID counterparts. In Linux,
each process has also an fsuid and an fsgid which are
used for access control to the filesystem.
The fsuid usually follows the value in the effective uid
unless explicitly set by the setfsuid system call. Similarly,
the fsgid usually follows the value in the effective
gid unless explicitly set by the setfsgid system call.

When a process is created by fork, it inherits the three
user IDs from its parent process. When a process executes
a new file by exec, it keeps its three user IDs unless
the set-user-ID bit of the new file is set, in which
case the effective uid and saved uid are assigned the user
ID of the owner of the new file.

Since access control is based on the effective user ID, a
process gains privilege by assigning a privileged user ID
to its effective uid, and drops privilege by removing the
privileged user ID from its effective uid. Privilege may
be dropped either temporarily or permanently.

-- 
JR

Další informace o konferenci Linux