如果 ssh 服务器在 root 上下文中运行，SFTP 如何只能访问特定用户文件？

Question

我猜想将 root 特权放弃给另一个用户的工具只是使用为此目的提供的系统调用。

$ man setuid
SETUID(2)                 FreeBSD System Calls Manual                SETUID(2)

NAME
     setuid, seteuid, setgid, setegid - set user and group ID

LIBRARY
     Standard C Library (libc, -lc)

SYNOPSIS
     #include <unistd.h>

     int
     setuid(uid_t uid);

     int
     seteuid(uid_t euid);

     int
     setgid(gid_t gid);

     int
     setegid(gid_t egid);

DESCRIPTION
     The setuid() system call sets the real and effective user IDs and the
     saved set-user-ID of the current process to the specified value.  The
     setuid() system call is permitted if the specified ID is equal to the
     real user ID or the effective user ID of the process, or if the effective
     user ID is that of the super user.

     The setgid() system call sets the real and effective group IDs and the
     saved set-group-ID of the current process to the specified value.  The
     setgid() system call is permitted if the specified ID is equal to the
     real group ID or the effective group ID of the process, or if the
     effective user ID is that of the super user.

     The seteuid() system call (setegid()) sets the effective user ID (group
     ID) of the current process.  The effective user ID may be set to the
     value of the real user ID or the saved set-user-ID (see intro(2) and
     execve(2)); in this way, the effective user ID of a set-user-ID
     executable may be toggled by switching to the real user ID, then re-
     enabled by reverting to the set-user-ID value.  Similarly, the effective
     group ID may be set to the value of the real group ID or the saved set-
     group-ID.

RETURN VALUES
     Upon successful completion, the value 0 is returned; otherwise the
     value -1 is returned and the global variable errno is set to indicate the
     error.

ERRORS
     The system calls will fail if:

     [EPERM]            The user is not the super user and the ID specified is
                        not the real, effective ID, or saved ID.

Answer 1

我猜想将 root 特权放弃给另一个用户的工具只是使用为此目的提供的系统调用。

$ man setuid
SETUID(2)                 FreeBSD System Calls Manual                SETUID(2)

NAME
     setuid, seteuid, setgid, setegid - set user and group ID

LIBRARY
     Standard C Library (libc, -lc)

SYNOPSIS
     #include <unistd.h>

     int
     setuid(uid_t uid);

     int
     seteuid(uid_t euid);

     int
     setgid(gid_t gid);

     int
     setegid(gid_t egid);

DESCRIPTION
     The setuid() system call sets the real and effective user IDs and the
     saved set-user-ID of the current process to the specified value.  The
     setuid() system call is permitted if the specified ID is equal to the
     real user ID or the effective user ID of the process, or if the effective
     user ID is that of the super user.

     The setgid() system call sets the real and effective group IDs and the
     saved set-group-ID of the current process to the specified value.  The
     setgid() system call is permitted if the specified ID is equal to the
     real group ID or the effective group ID of the process, or if the
     effective user ID is that of the super user.

     The seteuid() system call (setegid()) sets the effective user ID (group
     ID) of the current process.  The effective user ID may be set to the
     value of the real user ID or the saved set-user-ID (see intro(2) and
     execve(2)); in this way, the effective user ID of a set-user-ID
     executable may be toggled by switching to the real user ID, then re-
     enabled by reverting to the set-user-ID value.  Similarly, the effective
     group ID may be set to the value of the real group ID or the saved set-
     group-ID.

RETURN VALUES
     Upon successful completion, the value 0 is returned; otherwise the
     value -1 is returned and the global variable errno is set to indicate the
     error.

ERRORS
     The system calls will fail if:

     [EPERM]            The user is not the super user and the ID specified is
                        not the real, effective ID, or saved ID.

如果 ssh 服务器在 root 上下文中运行，SFTP 如何只能访问特定用户文件？

答案1

相关内容