Programming

I hava been reading AUPE these days. I really am puzzled with the presentation of real user(group) ID, effective user(group) ID. How do they effect on the execution of process? What's the relationship between them? Appreciate your help.

I doubt that I can explain it as well as Rich Stevens. But here is a brief and over-simplified description.

Let's say that you sign on as "lethefe". The login program will look up lethefe in /etc/passwd to get your uid, which we will say is 1000. So the login program sets the real, effective, and saved uid to be 1000.

This affects any processes that you run. For example you will not be able to write to /etc/passwd because you do not have permission.

So you want to change your password. To do that, you will run the passwd program. The passwd program has the setuid bit set. That causes the exec() system call to set the effective and saved uids to the owner of /usr/bin/passwd. The real uid is still 1000.

While the passwd program is running, it can write to /etc/passwd. So now you can change your password. But if you try to change, say, joeblow's password, it won't let you. The passwd program can look at your real uid and decide what you should be allowed to do.

The reason that the passwd program can write to the passwd file is that the effective uid is root.

So while you are running a suid program, your real uid is you. Your saved uid is whoever owned the program. The effective uid will start out also set to whoever owned the program. The program can switch the effective uid back and forth between the real and saved uids. This lets it decide which set of permissions it wants.

Do you mean that when the s-bit of the program is not set, the effective uid is the same as the real one(as me lethefe). however,even if the s-bit is set, my real uid would never change(always lethefe)? Isn't it ?

Remember that I said that I was over-simplifying things a bit.

If you are not running a suid program all 3 uids should be the same. And ideally your real uid will never change.

But all 3 can be affected by various system calls. And each version of unix is a little different in this area.

Posix has attempted to tame this situation. The sequence of events that I described is the Posix concept of how this should work. If a version of unix doesn't support the sequence that I described, it is not posix compliant.

But, for example, BSD has a system call that will swap the real and effective uids. HP-UX actually allows you to fiddle with all three uids. Older versions of BSD did not even have a saved-uid. It's this variety that makes things confusing.

Thanks for your guidence.