setuid 的用法? [英] A usage of setuid?

问题描述

最近看了一个Powerpoint幻灯片，对setuid的用法没有一个清晰的概念.这是幻灯片的内容.

I read a Powerpoint slide recently, and can't get a clear concept about the usage of setuid. Here is the content of the slide.

Setuid 示例 - 打印文件

Setuid example - printing a file

• 目标
  • 每个用户都可以排队文件
  • 用户不能删除其他用户的文件
  • 用户打印机拥有的队列目录
  • Setuid 队列文件程序
    • 创建队列文件作为用户打印机
    • 以用户 joe 的身份复制 joe 的数据
    • 仅允许删除您排队的文件

    这是我的问题.我不太清楚如何通过setuid"来解决这个问题.

    Here are my questions. I don't have a clear ​understanding​ how to solve this problem by "setuid".

    1. 首先，如果文件是由用户打印机创建的，那么用户 joe 如何将数据复制到打印机拥有的文件中.它对这个文件有一定的权利吗.
    2. 其次，如何识别你和你排队的文件之间的关系.
    3. 文件状态是否显示某些内容，但文件归打印机所有，只能由 root 更改.它与文件的gid有关吗?如果是这样，其他用户的 gid 也可能与此文件相关.
    4. 文件的上下文是否显示了有关谁排队的信息?

    我的问题一团糟，我对解决方案真的没有一个清晰的概念.

    My questions are a mess, and I really don't have a clear concept about the solution.

    推荐答案

    让我们假设文件要存储在 /var/spool/pq 目录中；目录 printer:printgrp:2700 的权限(所有者 printer，组 printgrp，模式 2700 - 读取、写入、仅对所有者执行，并且在目录上设置的 SGID 位意味着在其中创建的所有文件都将属于 printgrp 组).

    Let's assume that the files are to be stored in /var/spool/pq directory; the permissions on the directory printer:printgrp:2700 (owner printer, group printgrp, mode 2700 - read, write, execute for owner only, and the SGID bit set on the directory means all files created in it will belong to group printgrp).

    进一步，我们假设打印排队程序pq，有权限printer:printgrp:4511(setuid printer，任何人都可以执行它，但只有 printer 或 root 可以查看它).

    Further, we assume that the print queuing program, pq, has permissions printer:printgrp:4511 (setuid printer, anyone can execute it, but only printer or root can look at it).

    现在，假设 Joe 运行 pq/home/joe/file，并且文件的权限是 joe:staff:600(只有 Joe 可以读取或写入文件).Joe 的 umask 设置为 022(尽管此文件的权限限制比 umask 暗示的要多).

    Now, suppose Joe runs pq /home/joe/file, and the permissions on the file are joe:staff:600 (only Joe can read or write to the file). Joe's umask is set to 022 (though this file has more restrictive permissions than are implied by the umask).

    程序运行时，进程的真实UID是joe，但有效UID是printer.由于这里不需要setgid操作，所以真实有效的GID都是staff.Joe 的辅助组列表不包括 printgrp.

    When the program runs, the real UID of the process is joe, but the effective UID is printer. Since there is no need for setgid operation here, both the real and effective GID are staff. Joe's auxilliary groups list does not include printgrp.

    请注意，控制其对文件的访问的是进程的有效 UID 和 GID.乔自己看不到打印机队列中有哪些作业；显示的目录权限甚至不允许他列出文件或访问目录中的文件.请注意，反之亦然；printer 用户(或以该用户身份运行的 pq 程序)本身无法访问 Joe 的文件.

    Note that it is the effective UID and GID of a process that control its access to files. On his own, Joe cannot see what jobs are in the printer queue; the directory permissions shown don't even allow him to list the files, or access the files in the directory. Note that the converse applies; on its own, the printer user (or the pq program running as that user) cannot access Joe's file.

    pq 程序可以在打印机队列目录中创建文件；它可能会为此请求创建两个文件.一个是控制文件，另一个是要打印的文件的副本.它将通过某种机制(例如 12345)确定作业编号，并且可能会创建和打开两个文件进行写入(具有限制性权限 - 0600 甚至 0400):

    The pq program can create files in the printer queue directory; it will probably create two files for this request. One will be a control file, the other will be a copy of the file to be printed. It will determine a job number by some mechanism (say 12345) and it might create and open two files for writing (with restrictive permissions - 0600 or even 0400):

    • /var/spool/pq/c.12345 - 控制文件
    • /var/spool/pq/d.12345.1 - 第一个(唯一的)数据文件
    • /var/spool/pq/c.12345 - the control file
    • /var/spool/pq/d.12345.1 - the first (only) data file

    然后它应该将其有效 UID 重置为真实 UID，因此它以 Joe 的身份运行.然后它可以打开 Joe 要求打印的文件，并将其复制到数据文件中.它还可以写入它认为与控制文件相关的任何信息(日期、时间、提交请求的人、要打印的文件数量、特殊打印选项等).当它关闭这些文件时，Joe 将无法再访问它们.但该程序能够将 Joe 的文件复制到其打印队列中.

    It should then reset its effective UID to the real UID, so it is running as Joe. It can then open the file Joe asked to be printed, and copy it to the data file. It can also write whatever information it deems relevant to the control file (date, time, who submitted the request, the number of files to be printed, special printing options, etc). When it closes those files, Joe is no longer able to access them. But the program was able to copy Joe's file to its print queue.

    所以，这解决了问题 1(权限)和问题 2(控制信息)以及问题 4(再次控制信息).

    So, that addresses questions 1 (permissions) and 2 (control information), and also 4 (control information again).

    关于问题 3，root 在类 Unix 系统上总是一个通配符，因为他可以做任何他想做的事情.但是，正如答案的其余部分所建议的那样，控制文件包含有关打印请求的信息，包括(特别是)提交它的人.您可以使用 setgid 程序代替 setuid 程序；它们以类似的方式工作.然而，在我假设的系统下，组权限基本上没有出现.pq 程序将控制文件和数据文件的权限设置为组不能读取，目录权限也拒绝组访问.

    Regarding question 3, root is always a wild card on Unix-like systems because can do anything that he wants. However, as suggested by the rest of the answer, the control file contains information about the print request, including (in particular) who submitted it. You can use setgid programs instead of setuid programs; these work in analogous ways. However, under the system I postulated, the group permissions essentially didn't come into the picture. The pq program set the permissions on the control file and data file such that the group can't read it, and the directory permissions also deny group access.

    我们可以假设另外两个程序:

    We can postulate two more programs:

    • pqs - 打印机队列状态
    • pqr - 打印机队列移除
    • pqs - printer queue status
    • pqr - printer queue remove

    这些程序也将是 setuid printer.pqs 程序可以读取目录中的控制文件并从中列出相关信息.pqr 程序可以读取控制文件，以确保当 Joe 提交作业 12345 时，他请求删除作业 12345.如果程序满意，则可以删除文件.

    These programs would also be setuid printer. The pqs program can read the control files in the directory and list pertinent information from them. The pqr program can read the control files to ensure that when Joe submitted job 12345 when he requests the removal of job 12345. If the program is satisfied, then it can delete the files.

    除了这些用户调用的程序之外，还有一个守护程序(在本系统中通常称为 pqd)，如果它被 pq尚未运行.它将负责读取目录中的控制文件，并使用该信息将数据文件实际打印到相关打印机.如何处理不同打印机和不同数据格式的细节是守护进程要处理的问题.守护进程也将以 printer 权限运行，并且 printer 将被授予访问打印机设备的权限(对于本地连接的打印机)或配置为使用协议通过网络进行通信如 IPP(互联网打印机协议).Joe 可能无法直接使用打印机设备.

    Separately from these user-invoked programs, there would also be a daemon program (conventionally named pqd in this system) that would be kicked into action by pq if it is not already running. It would be responsible for reading the control files in the directory, and using that information to actually print the data files to the relevant printer. The details of how different printers and different data formats are handled are a problem for the daemon to deal with. The daemon too will run with printer privileges, and printer will have been given access to the printer devices (for locally attached printers) or configured to communicate over the network with a protocol such as IPP (Internet Printer Protocol). Joe probably won't be able to use the printer devices directly.

    请注意 setuid 程序具有 Joe 没有的权力.它们必须仔细编写，以确保 Joe 不会滥用这些额外的权力.任何 setuid 程序都有些危险；setuid root 程序可能是致命的.一般来说，setgid 程序的危险性较小.但是，对于这两种类型的程序，编写此类程序时都需要非常小心.

    Note that the setuid programs have powers that Joe does not have. They must be written carefully to ensure that Joe cannot abuse those extra powers. Any setuid program is somewhat dangerous; a setuid root program can be lethal. In general, setgid programs are less dangerous. However, for both types of program, great care is required in the writing of such programs.

    这篇关于setuid 的用法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！