User permissions and group permissions are stored in multiple ways.
uid:
actual user ID, effective user ID, saved setting user ID
gid:
actual group ID, effective group ID, saved setting group ID
As explained in section 4.4 in the previous chapter 4 files and directories, the IDs associated with a process are as follows:
Actual user ID: Tell us who it is actually, usually it is the ID taken from the password file when the user logs in.
Effective user ID: Mainly used by the process to verify the file's usage rights.
Save the settings. User ID: Save the effective user ID when executing the program. s copy.
Set actual user ID and effective user ID/group
SYNOPSIS
#include <sys/types.h>
#include <unistd.h>
int setuid(uid_t uid);
DESCRIPTION
setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root (more precisely: if the caller has the CAP_SETUID capability), the real UID and saved set-user-ID are also set.
Set the effective user ID, if it is the super user root, the actual user ID and the saved setting user ID will also be set
Different ways to change the three user IDs: exec / setuid(uid)
Exchange actual user ID and effective user ID
Set effective user ID/group,
super user root and non-privileged user, set various functions with different IDs
setuid() experiment: who performs what kind of operation
mhr@ubuntu:~/Desktop/xitongbiancheng/test$ ./a.out 0 cat /etc/shadow
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/wait.h>
int main(int argc,char* argv[])
{
pid_t pid;
if(argc < 3)// 至少三个参数
{
fprintf(stderr,"Usage: ...\n");
exit(1);
}
fflush(NULL);
pid = fork();
if(pid < 0)
{
perror("fork()");
exit(1);
}
else if(pid == 0) //child
{
setuid(atoi(argv[1]));//设置用户ID 为 root,前提是 root权限下执行该可执行程序
fflush(NULL);
execvp(argv[2],argv+2);//变参 用 execvp()
perror("execvp");
exit(1);
}
wait(NULL);
exit(0);
}
root@ubuntu:/home/mhr/Desktop/xitongbiancheng/test# ./a.out 0 cat /etc/shadow
The premise is to execute the executable program under root privileges
Interpreter file
The essence is a script file, and its starting line is in the form:
#! pathname [optional-argument]
Common interpreter files such as:
#! /bin/sh
The interpreter file does not require the suffix name, such as:
p.exec
#! /bin/bash
ls
cat /etc/shadow
ps
mhr@ubuntu:~/Desktop/xitongbiancheng/test$
mhr@ubuntu:~/Desktop/xitongbiancheng/test$ chmod u+x p.exec // 给 可执行权限x
mhr@ubuntu:~/Desktop/xitongbiancheng/test$
mhr@ubuntu:~/Desktop/xitongbiancheng/test$
mhr@ubuntu:~/Desktop/xitongbiancheng/test$ ls -l p.exec
-rwxrw-r-- 1 mhr mhr 37 Feb 21 22:51 p.exec
mhr@ubuntu:~/Desktop/xitongbiancheng/test$
mhr@ubuntu:~/Desktop/xitongbiancheng/test$ ./p.exec
a.out p.exec test.c TEST_FILE wait.c
cat: /etc/shadow: Permission denied
PID TTY TIME CMD
7179 pts/2 00:00:00 bash
7671 pts/2 00:00:00 bash
7700 pts/2 00:00:00 p.exec
7703 pts/2 00:00:00 ps
mhr@ubuntu:~/Desktop/xitongbiancheng/test$
That is, /bin/bash is executed, and /bin/bash is used to explain
ls
cat /etc/shadow
ps