Next: Process User IDs and
Up: Secure Programming
Previous: Types of Applications
- The system converts your username to a particular user ID, and from then on it's only the user ID that counts.
- You can control access to a file or other resource by associating it with a particular
user ID.
- Sometimes, you want to share a resource among multiple users.
- Linux doesn't allow you to associate multiple user IDs with a file, so you can't just create a list of all the people to whom you want to give access and attach them all to the file.
- You can, however, create a group. Each group is assigned a unique number, called a group ID, or GID. Every group contains one or more user IDs.
- A single user ID can be a member of lots of groups, but groups can't contain other groups.
- Like users, groups have names. Also like usernames, however, the group names don't really matter; the system always uses the group ID internally.
- You can associate only one group with a resource.
$ id
- One user account is very special. This user has user ID 0 and usually has the username root. The root user can do just about anything.
- Lots of special operations can be performed only by processes running with root privilege.
- The trouble with this design is that a lot of programs need to be run by root because a lot of programs need to perform one of these special operations. If any of these programs misbehaves, chaos can result.
- There's no effective way to contain a program when it's run by root; it can do anything. Programs run by root must be written very carefully.
Next: Process User IDs and
Up: Secure Programming
Previous: Types of Applications
Cem Ozdogan
2007-05-07