引用自这个答案关于进程的文件系统用户 ID 和有效用户 ID 之间的区别,它说
FSUID 用于文件系统访问,EUID 用于其他用途。
这些“其他事情”是什么?我只能想到连接到套接字之类的系统调用,但据我所知,除了文件系统交互之外,其他任何操作都需要进程具有超级用户权限。我认为如此有效的 uids(和 gids)几乎毫无意义,除非你是 root。
除了系统调用之外还有什么吗?我还知道用户/组权限会影响可以在进程之间发送的信号,但我不确定它是如何工作的。也许可以添加其他类型的进程间通信,例如共享内存等?
而且,如果用户有权执行某个文件,那么执行它就被视为“文件系统权限”?这是否取决于可执行文件是脚本(需要 SO 运行用户拥有的进程,逐行读取脚本,因此意味着文件系统读取操作),还是二进制文件(文件内容直接复制粘贴)我猜是通过SO到RAM)?如果文件具有执行权限但没有读取权限(二进制或文本可执行文件)怎么办?
答案1
有效 ID 有多种用途。
信号发送,如中所述杀死(2):
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process. In the case of SIGCONT, it suf‐
fices when the sending and receiving processes belong to the same
session.
创建 System V IPC 对象时,如(例如)中所述消息控制(2):
If a new message queue is created, then its associated data struc‐
ture msqid_ds (see msgctl(2)) is initialized as follows:
msg_perm.cuid and msg_perm.uid are set to the effective
user ID of the calling process.
msg_perm.cgid and msg_perm.gid are set to the effective
group ID of the calling process.
设置进程的nice值时,如中所述设置优先级(2):
EPERM A process was located, but its effective user ID did not
match either the effective or the real user ID of the call‐
er, and was not privileged (on Linux: did not have the
CAP_SYS_NICE capability). But see NOTES below.
同样,当设置 CPU 关联性时sched_setaffinity(2):
EPERM (sched_setaffinity()) The calling thread does not have
appropriate privileges. The caller needs an effective user
ID equal to the real user ID or effective user ID of the
thread identified by pid, or it must possess the
CAP_SYS_NICE capability in the user namespace of the thread
pid.