Language
Country/Area
No result found
The mysterious power of the effective user ID: How does it determine your system privileges?
In Unix-like operating systems, each user is identified by a value called a user identifier, often referred to simply as a user ID (UID). UID is not only related to the user's permissions, but also together with the group identifier (GID) and other access control standards to determine which system resources the user can access. This is all mapped in a key file that maps text usernames to UIDs.
UIDs are stored in inodes of Unix file systems, processes running in them, and some obsolete network information services.
In a POSIX-compliant environment, use the shell command id to obtain the UID of the current user, as well as more information such as the username, primary user group, and GID.
Process attributes
The POSIX standard introduces three different UID fields in the process descriptor table so that privileged processes can assume different roles while dynamically increasing their privileges.
Valid user ID
The effective UID (euid) of a process is used for most permission checks and is also the owner of files created by the process. Accordingly, the effective GID (egid) also affects access control and may affect file creation, depending on the semantics of the kernel implementation. In BSD Unix semantics, the group ownership of newly created files is unconditionally inherited from the group ownership of the directory being created.
File system user ID
Linux also has a file system user ID (fsuid), which is used explicitly for file system access control. This ID is usually equal to euid unless otherwise specified. fsuid can be root's user ID only if ruid, suid, or euid is root. Whenever euid changes, this change is propagated to fsuid.
Saved user ID
The saved user ID is used when a program running that requires elevated privileges needs to temporarily perform some work that does not require privileges; it changes the privilege value (usually 0) to some value that does not require privileges, and changes the privilege value Stored in suid, a program can later set its euid back to the value stored in suid, thereby restoring elevated privileges.
Real user ID
The real UID (ruid) and real GID (rgid) identify the real owner of the process and affect the permissions to send signals. A process without superuser privileges can only send a signal if the sender's ruid or euid matches the receiver's ruid or suid.
Promise
Type
POSIX requires UIDs to be of type integer, and most Unix-like operating systems represent UIDs as unsigned integers. The size of UID values varies between systems, with some UNIX systems using 15-bit values allowing values up to 32767, while systems like Linux (prior to version 2.4) support 16-bit UIDs up to 65536. Most modern Unix-like systems (such as Solaris 2.0 and Linux 2.4) have now moved to using 32-bit UIDs, bringing the number of available UIDs to 4,294,967,296.
The Linux Standard Base Core specification specifies that the UID value range 0 to 99 should be statically assigned by the system and should not be created by applications, while the UID range 100 to 499 should be dynamically assigned by the system administrator and post-installation scripts.
Special values
Normally, the superuser's UID is zero (0). UID -1 is reserved by POSIX to identify omitted parameters. Regardless, UID 65535 is retained as an API error value when the 16-bit system call is returned.
Alternatives
NFSv4 is designed to avoid collision of numeric identifiers by using the text form of the "user@domain" name in the protocol package. However, as long as the operating system kernel and local file systems continue to use integer user identifiers, additional conversion steps are required, which can introduce unnecessary points of failure.
This brings us to the question: How does UID affect your security in the digital environment, and do you truly understand its role?
