🐧 Linux - Process Credentials
Each process has a set of numeric user identifiers (UIDs) and group identifiers (GIDs) that determine what operations the process can perform.
- Real User ID (RUID)
- Real Group ID (RGID)
- Effective User ID (EUID)
- Effective Group ID (EGID)
- File System User ID (FSUID, Linux-specific)
- File System Group ID (FSGID, Linux-specific)
- Saved Set-User-ID (SUID)
- Saved Set-Group-ID (SGID)
- Supplementary Group IDs
These are sometimes called "process credentials."
The real IDs identify the user and group to which the process belongs. You can think of these as the actual user running the process.
The effective and supplementary IDs are used to determine the active privileges of the process. "Effectively" what the process can do.
Normally the real IDs and the effective IDs are the same. But they can diverge in two situations:
- Through execution of
set-user-id
andset-group-id
programs- A system call is used to change the effective user ID
The file system IDs are used to determine which files the process can access.
Normally, the effective and the file system IDs are the same. But they can diverge if file system IDs are changed using system calls. In practice, the existence of file system IDs rarely makes a difference.
Linux has a /proc/[PID]/status
file where you find all the process credentials:
# REAL EFF. SAVED FS
Uid: 1000 1000 1000 1000
Gid: 1000 1000 1000 1000
A privileged process is one whose effective user ID is 0 (root).
Saved Set-*-IDs
An executable file has two special permission flags:
the set-user-id
(aka. setuid) and set-group-id
(aka. setgid) bits.
chmod u+s prog # Turn on set-user-id permission bit
chmod g+s prog # Turn on set-group-id permission bit
When a set-user-id
program is run, the kernel sets the effective user ID of the process to be the same as the owner of the executable file. set-group-id
works similarly.
You might want to allow unprivileged users to run programs that need elevated privileges without actually giving users those privileges to do whatever.
The set-*-id
permission bits don't have any effect for shell scripts on Linux for security.
Initially, saved set-user-id and saved set-group-id are copied from the effective IDs. This happens regardless whether the executable file set-*-id
bits are on or off.
The saved IDs allow a process to regain the use of the initial effective IDs if they change them momentarily to the real ones while performing some tasks.
The saved set-*-ids are designed to be used with these
set-*-id
programs as the main reason why real and effective IDs would initially differ would be to run aset-*-id
flagged program.
A system program might need root privileges to do some operations but wants to be sure not to accidentally do something as root that it shouldn't so it momentarily drop its privileges.
Changing Process Credentials
When an unprivileged process calls setuid()
, only the effective user ID changes.
An unprivileged process can only change the effective user ID to the same value as either the real user ID (privileges of the user actually running stuff) or saved set-user-id (privileges that were active at the start).
When a privileged process executes setuid()
with a nonzero argument, the real user ID, effective user ID, and saved set-user-ID are all set to the same value.
And both work similarly for groups.
Sources
- The Linux Programming Interface, Michael Kerrisk