uids and gids

By Danny Kalev, ITworld |  How-to

This week, I will introduce two fundamental concept of the Linux
process model: user ids (uid) and group ids (gid). Then, I will
exemplify how to use the relevant library functions for setting and
retrieving these attributes.

A process is associated with a user id (uid) and a group id (gid). Uids
and gids are integers that the system maps to the corresponding user
names and group name listed in the /etc/passwd and /etc/group
directories, respectively. The uid 0 is reserved for the system
administrator, or root. Security checks are disabled for processes with
this uid. Generally, a process has one uid and one gid associated with
it. However, in large projects where users of different groups access
the same files, this restriction can be limiting. The solution is to
assign supplemental groups to a process. Thus, a process may still have
a primary gid plus a set of supplemental groups. Consequently, security
checks that ensure that a process belongs to a specific group will
check whether it belongs to one of the supplemental groups. The
constant NGROUPS_MAX defined in holds the maximum number
of supplemental groups to which a process may belong.

Setting and Retrieving Supplemental Groups from a Program
The setgroups() syscall allows a process with root permissions to
assign supplemental groups to itself. Here's its prototype:

int setgroups(size_t n, const gid_t *glist);

The argument n specifies the number of supplemental groups, or
elements, in the array glist. The argument glist points to the
beginning of an array of gids that will serve as a list of supplemental
groups for the current process.

To obtain the list of all supplemental groups to which a process
belongs, use the getgroups() syscall. It has the following prototype:

int getgroups(size_t n, gid_t * glist);

The argument n specifies the maximum number of gids that the array
glist may contain. The function returns -1 in case of an error, or the
number of supplemental groups. As a special case, you can obtain the
number of supplemental groups without copying them into an array by
passing 0 as the first argument. In that case, the value returned from
getgroups() is the number of supplemental groups of the process.

Join us:






Answers - Powered by ITworld

Ask a Question