definitions of uid and euid

definitions of uid and euid

[Peng Yu]

Hi,

`man getuid` says the following without explaining what real user ID
and effective user ID are.

- getuid() returns the real user ID of the calling process.
- geteuid() returns the effective user ID of the calling process.

Could anybody explain the definitions of uid and euid, and provide a
minimum working example demonstrating when they are different? Thanks.

-- 
Regards,
Peng

Re: definitions of uid and euid

[Paul Smith]

On Tue, 2021-02-02 at 11:04 -0600, Peng Yu via Libc-help wrote:
> Could anybody explain the definitions of uid and euid, and provide a
> minimum working example demonstrating when they are different?

Google is helpful here I think; this is a UNIX/POSIX operating system
thing not a libc thing.

For example this answer from the first hit I got seems informative and
pretty accurate

https://stackoverflow.com/a/32456814/939557

and other answers to that question go into more details.

Re: definitions of uid and euid

[Jeffrey Walton]

On Tue, Feb 2, 2021 at 12:22 PM Peng Yu via Libc-help
<libc-help@sourceware.org> wrote:
>
> `man getuid` says the following without explaining what real user ID
> and effective user ID are.
>
> - getuid() returns the real user ID of the calling process.
> - geteuid() returns the effective user ID of the calling process.
>
> Could anybody explain the definitions of uid and euid, and provide a
> minimum working example demonstrating when they are different? Thanks.

Also see Chen, Wagner and Dean's
https://www.usenix.org/conference/11th-usenix-security-symposium/setuid-demystified:

   Access control in Unix systems is mainly based on
   user IDs, yet the system calls that modify user IDs
   (uid-setting system calls), such as setuid, are poorly
   designed, insufficiently documented, and widely
   misunderstood and misused. This has caused many
   security vulnerabilities in application programs.
   ...

Jeff

Re: definitions of uid and euid

[Peng Yu]

This document is pretty old. Is it still the most relevant document
nowadays.  Given the shortcoming mentioned in the document. Nothing
has been changed to accommodate the shortcomings since then?

On 2/2/21, Jeffrey Walton via Libc-help <libc-help@sourceware.org> wrote:
> On Tue, Feb 2, 2021 at 12:22 PM Peng Yu via Libc-help
> <libc-help@sourceware.org> wrote:
>>
>> `man getuid` says the following without explaining what real user ID
>> and effective user ID are.
>>
>> - getuid() returns the real user ID of the calling process.
>> - geteuid() returns the effective user ID of the calling process.
>>
>> Could anybody explain the definitions of uid and euid, and provide a
>> minimum working example demonstrating when they are different? Thanks.
>
> Also see Chen, Wagner and Dean's
> https://www.usenix.org/conference/11th-usenix-security-symposium/setuid-demystified:
>
>    Access control in Unix systems is mainly based on
>    user IDs, yet the system calls that modify user IDs
>    (uid-setting system calls), such as setuid, are poorly
>    designed, insufficiently documented, and widely
>    misunderstood and misused. This has caused many
>    security vulnerabilities in application programs.
>    ...
>
> Jeff
>


-- 
Regards,
Peng