getuid,setuid函数

[linux]编程 getuid,setuid函数（转载自http://sunny-day.blogbus.com/logs/1）
   
  在linux中每个进程有三个[实际上有第4个]用户标识符.
  real uid : 真实用户ID.
  saved uid : 已保存用户ID
  effective uid : 有效用户ID
  真实用户ID(real uid)是login时的用户.而在运行过程中,
用于所有的安全检查的是有效用户ID(effective uid).
一般情况下:
  real uid = saved uid = effective uid

  在某些场合下,使用用setuid,setruid函数可以改变effective uid,从而
使得程序运行时具有特殊的权限.常见的例子是linux系统中的passwd命令,
由于所有的用户信息包括用户密码都保存在/etc/passwd文件中,而/etc/passwd
文件只有root权限可以读写,若想让每个用户都只可以修改自己的密码,就必须
让普通用户暂时获得有限的读写/etc/passwd的权限.用setuid就可以解决这个
问题.

Linux setuid(uid)函数:
  (1)如果由普通用户调用,将当前进程的有效ID设置为uid.
  (2)如果由有效用户ID符为0的进程调用,则将真实,有效和已保存用户ID都设
  置为uid.
Linux的setuid函数和Unix中的setuid函数的行为是不同的.
Unix中.setuid(uid)函数的行为:
  (1)如果进程没有超级用户特权,且uid等于实际用户ID或已保存用户ID,则只
  将有效的用户ID设置为uid.否则返回错误.
  (2)如果进程是有超级用户特权,则将真实,有效和
  已保存用户表示符都设置为uid.

  这里主要的区别在于普通用户调用时的行为.产生这个问题的原因是POSIX和
BSD的实现差异,而linux却同时支持这两者.BSD中使用
  setreuid(uid_t ruid, uid_t euid)
来设定真实用户ID(real uid)和有效用户ID(effective uid).这个函数在由有效
用户ID符为0的进程调用时,不会改变已保存用户ID.函数seteuid(uid_t uid)等价
于setreuid(-1,uid),只改变有效用户ID(effective uid).


例子:
  使用setuid或是setruid,让非root用户也可以读取只有root用户有读写权限的
文件.

 #假设此程序名为:setuid_ex
 #要读取的文件为:root_only.txt 
 $ users
 dd admin
 $ ls -l root_only.txt
 -rw------- 1 root root 33 Jan 11 17:07 root_only.txt
 $ vi setuid_ex.cpp
  1 /**
  2 * Linux setuid函数的例子.
  3 * */
  4 #include <unistd.h> //setuid() and getuid()
  5 #include <iostream>
  6 #include <fstream>
  7
  8 using namespace std;
  9 void test_read_file(const char *name)
  10 {
  11 ifstream f(name);
  12 if(f.fail())
  13 cout<<"=[ERROR]: read failed."<<endl;
  14 else
  15 cout<<"=[OK]: read successful."<<endl;
  16 }
  17 //打印uid和euid.
  18 inline void p_states(void)
  19 {
  20 int uid,euid;
  21 cout<<"-----Current states--------------------------"<<endl;
  22 cout<<"real uid/t"<<getuid()<<endl;
  23 cout<<"effective uid/t"<<geteuid()<<endl;
  24 cout<<"---------------------------------------------"<<endl;
  25 }
  26 //调用setuid.
  27 inline void run_setuid_fun(int uid)
  28 {
  29 if(setuid(uid) == -1)
  30 cout<<"=[ERROR]: setuid("<<uid<<") error"<<endl;
  31 p_states();
  32 }
  33 //调用seteuid.
  34 inline void run_seteuid_fun(int uid)
  35 {
  36 if(seteuid(uid) == -1)
  37 cout<<"=[ERROR]: seteuid("<<uid<<") error"<<endl;
  38 p_states();
  39 }
  40
  41 int main()
  42 {
  43 int t_re=0;
  44 const char * file = "root_only.txt";
  45
  46 cout<<endl<<"TEST 1: "<<endl;
  47 p_states();
  48 //[1]此时 real uid= login user id
  49 // effective uid = root
  50 // saved uid = root
  51 test_read_file(file);
  52
  53 cout<<endl<<"TEST 2: seteuid(getuid())"<<endl;
  54 run_seteuid_fun(getuid());
  55 //[2]此时 real uid= login user id
  56 // effective uid = login user id
  57 // saved uid = root
  58 test_read_file(file);
  59
  60 cout<<endl<<"TEST 3: seteuid(0)"<<endl;
  61 run_seteuid_fun(0);
  62 //[3]此时 real uid= login user id
  63 // effective uid = root
  64 // saved uid = root
  65 test_read_file(file);
  66
  67 cout<<endl<<"TEST 4: setuid(0)"<<endl;
  68 run_setuid_fun(0);
  69 //[4]此时 real uid= root
  70 // effective uid = root
  71 // saved uid = root
  72 test_read_file(file);
  73
  74 cout<<endl<<"TEST 5: setuid(503)"<<endl;
  75 run_setuid_fun(503);
  76 //[5]此时 real uid= login user id
  77 // effective uid = login user id
  78 // saved uid = login user id
  79 test_read_file(file);
  80
  81 cout<<endl<<"TEST 6: setuid(0)"<<endl;
  82 //[6]此时 real uid= login user id
  83 // effective uid = login user id
  84 // saved uid = login user id
  85 // 运行setuid(0)是将返回错误值-1.
  86 run_setuid_fun(0);
  87 test_read_file(file);
  88 return 0;
  89 }
  90
  91
 $ vi Makefile
  1 src=setuid_ex.cpp
  2 exe=setuid_ex
  3 cc=g++
  4 flags=-g
  5
  6 all:${src}
  7 ${cc} ${flags} -o ${exe}
  8 chown root:root ${exe}
  9 ### 实际上chmod 4111改变了effective id 和saved uid的值.
  10 ### 这也是setuid setruid函数在不同权限间正常切换的前提.
  11 chmod 4111 ${exe}
   
 $ sudo make #使用root进行Make. 
 $ ls -l setuid_ex
 ---s--x--x 1 root root 58579 Jan 15 11:27 setuid_ex
 $ ./setuid_ex 
 TEST 1:
 -----Current states--------------------------
 real uid 503
 effective uid 0
 ---------------------------------------------
 =[OK]: read successful.
 
 TEST 2: seteuid(getuid())
 -----Current states--------------------------
 real uid 503
 effective uid 503
 ---------------------------------------------
 =[ERROR]: read failed.
 
 TEST 3: seteuid(0)
 -----Current states--------------------------
 real uid 503
 effective uid 0
 ---------------------------------------------
 =[OK]: read successful.
 
 TEST 4: setuid(0)
 -----Current states--------------------------
 real uid 0
 effective uid 0
 ---------------------------------------------
 =[OK]: read successful.
 
 TEST 5: setuid(503)
 -----Current states--------------------------
 real uid 503
 effective uid 503
 ---------------------------------------------
 =[ERROR]: read failed.
 
 TEST 6: setuid(0)
 =[ERROR]: setuid(0) error
 -----Current states--------------------------
 real uid 503
 effective uid 503
 ---------------------------------------------
 =[ERROR]: read failed.