|
Setgid
The Unix and Linux access rights flags setuid and setgid (short for ''set user identity'' and ''set group identity'') allow users to run an executable with the file system permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific. The flags setuid and setgid are needed for tasks that require different privileges than what the user is normally granted, such as the ability to alter system files or databases to change their login password. Some of the tasks that require additional privileges may not immediately be obvious, though, such as the ping command, which must send and listen for control packets on a network interface. File modes The setuid and setgid bits are normally represented as ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
File System Permissions
Typically, a file system maintains permission settings for each stored item commonly files and directories that either grant or deny the ability to manipulate file system items. Often the settings allow controlling access based on function such as read, change, navigate, and execute and to different users and groups of users. One well-established technology was developed for Unix and later codified by POSIX. Another common technology is an access-control list (ACL) with multiple variants implemented in file systems and one codified by POSIX. Since POSIX defines both the older Unix-based technology as well as ACLs, the former is called ''traditional POSIX permissions'' for clarity even though it is not a well-known term. A permission-driven user interface tailors the functionality available to the user based on file system item permissions. For example, the interface might hide menu options that are not allowed based on the permissions stored for an item. Examples File sy ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Group Identifier
In Unix-like systems, multiple users can be put into '' groups''. POSIX and conventional Unix file system permissions are organized into three classes, ''user'', ''group'', and ''others''. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals. This method, among others, also enables the superuser to delegate some administrative tasks to normal users, similar to the ''Administrators'' group on Microsoft Windows NT and its derivatives. A group identifier, often abbreviated to GID, is a numeric value used to represent a specific group. The range of values for a GID varies amongst different systems; at the very least, a GID can be between 0 and 32,767, with one restriction: the login group for the superuser must have GID 0. This numeric value is used to refer to groups in the /etc/passwd and /etc/group files or their equivalents. Shadow password files and Network Information Service also re ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Umask
umask is a shell command that reports or sets the mask value that limits the file permissions for newly created files in many Unix and Unix-like file systems. A system call with the same name, , provides access to the mask value stored in the operating system (OS), and the command provides shell user access to the system call. Additionally, the mask value, formally ''file mode creation mask'', is often referred to as the ''umask''. When a new file is created, its access permissions are restricted by the stored umask mask value. The file's permission bits that each grant access are cleared by corresponding bits of the mask that are set. Set bits of the mask disallow the permission and clear bits of the mask allow the permission. The otherwise default value of a file's permissions is defined elsewhere. The mask just prevents corresponding bits of the default. The mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set strips away ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Chmod
is a shell command for changing access permissions and special mode flags of files (including special files such as directories). The name is short for ''change mode'' where ''mode'' refers to the permissions and flags collectively. The command originated in AT&T Unix version 1 and was exclusive to Unix and Unix-like operating systems until it was ported to other operating systems such as Windows (in UnxUtils) and IBM i. In Unix and Unix-like operating systems, a system call with the same name as the command, , provides access to the underlying access control data. The command exposes the capabilities of the system call to a shell user. As the need for enhanced file-system permissions grew, access-control lists were added to many file systems to augment the modes controlled via . The implementation of bundled in GNU coreutils was written by David MacKenzie and Jim Meyering. Use Although the syntax of the command varies somewhat by implementation, it generally acc ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Unix
Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others. Initially intended for use inside the Bell System, AT&T licensed Unix to outside parties in the late 1970s, leading to a variety of both academic and commercial Unix variants from vendors including University of California, Berkeley ( BSD), Microsoft (Xenix), Sun Microsystems ( SunOS/ Solaris), HP/ HPE ( HP-UX), and IBM ( AIX). The early versions of Unix—which are retrospectively referred to as " Research Unix"—ran on computers such as the PDP-11 and VAX; Unix was commonly used on minicomputers and mainframes from the 1970s onwards. It distinguished itself from its predecessors as the first portable operating system: almost the entire operating system is written in the C programming language (in 1973), which allows U ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Shared Libraries
In computing, a library is a collection of resources that can be leveraged during software development to implement a computer program. Commonly, a library consists of executable code such as compiled functions and classes, or a library can be a collection of source code. A resource library may contain data such as images and Text string, text. A library can be used by multiple, independent consumers (programs and other libraries). This differs from resources defined in a program which can usually only be used by that program. When a consumer uses a library resource, it gains the value of the library without having to implement it itself. Libraries encourage software reuse in a Modular programming, modular fashion. Libraries can use other libraries resulting in a hierarchy of libraries in a program. When writing code that uses a library, a programmer only needs to know how to use it not its internal details. For example, a program could use a library that Abstraction (comp ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Unix Security
Unix security refers to the means of securing a Unix or Unix-like operating system. Design concepts Permissions A core security feature in these systems is the file system permissions. All files in a typical Unix filesystem have permissions set enabling different access to a file. Unix permissions permit different users access to a file with different privilege (e.g., reading, writing, execution). Like users, different ''user groups'' have different permissions on a file. User groups Many Unix implementations add an additional layer of security by requiring that a user be a member of the ''wheel'' user privileges group in order to access the su command. Root access Most Unix and Unix-like systems have an account or group which enables a user to exact complete control over the system, often known as a root account. If access to this account is gained by an unwanted user, this results in a complete breach of the system. A root account however is necessary for administrative p ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
PolicyKit
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License. Since version 0.105, released in April 2012, the name of the project was changed from ''PolicyKit'' to ''polkit'' to emphasize that the system component was rewritten and that the API had changed, breaking backward compatibility. Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora, have already switched to the rewritten polkit. It is also possible ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Confused Deputy Problem
In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused deputy problem is often cited as an example of why capability-based security is important. Capability systems protect against the confused deputy problem, whereas access-control list–based systems do not. Example In the original example of a confused deputy, there was a compiler program provided on a commercial timesharing service. Users could run the compiler and optionally specify a filename where it would write debugging output, and the compiler would be able to write to that file if the user had permission to write there. The compiler also collected statistics about language feature usage. Those statistics were stored in a file called "(SYSX)STAT", in the directory "SYSX". To make this possible, the compiler program was given permi ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Sudo
() is a shell (computing), shell command (computing), command on Unix-like operating systems that enables a user to run a program with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and this remains its most common usage; however, the official Sudo project page lists it as "su 'do. The current Linux manual pages define as "substitute user", making the correct meaning of "substitute user, do", because can run a command as other users as well. Unlike the similar command Su (Unix), su, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file (typically #Configuration, /etc/sudoers) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password p ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Process Identifier
In computing, the process identifier (a.k.a. process ID or PID) is a number used by most operating system kernel (operating system), kernels—such as those of Unix, macOS and Windows—to uniquely identify an active Process (computing), process. This number may be used as a parameter in various function calls, allowing processes to be manipulated, such as adjusting the process's priority or kill (command), killing it altogether. Unix-like In Unix-like operating systems, new processes are created by the Fork (operating system), fork() system call. The PID is returned to the parent process, enabling it to refer to the child in further function calls. The parent may, for example, wait for the child to terminate with the waitpid() function, or terminate the process with kill(). There are two tasks with specially distinguished process IDs: PID 0 is used for ''swapper'' or ''sched'', which is part of the kernel and is a process that runs on a CPU core whenever that CPU core has not ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
User Identifier
Unix-like operating systems identify a user by a value called a user identifier, often abbreviated to user ID or UID. The UID, along with the group identifier (GID) and other access control criteria, is used to determine which system resources a user can access. The Passwd (file), password file maps textual user names to UIDs. UIDs are stored in the inodes of the Unix file system, running processes, tar archives, and the now-obsolete Network Information Service. In POSIX-compliant environments, the shell command id gives the current user's UID, as well as more information such as the user name, primary user group and group identifier (GID). Process attributes The POSIX standard introduced three different UID fields into the process descriptor table, to allow privileged processes to take on different roles dynamically: Effective user ID The effective UID (euid) of a process is used for most access checks. It is also used as the owner for files created by that process. The effectiv ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
