LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-01-2014, 09:33 AM   #1
jhesse
LQ Newbie
 
Registered: Aug 2006
Posts: 5

Rep: Reputation: 0
Linux Process GID


Suppose a file has permissions 440.

If the UID of a process matches the UID of the file or if it is a member of the GID of the file, then the process can read the file.

What does the process GID have to do with reading a file?

Thank you,
Joe
 
Old 02-01-2014, 09:53 AM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Permissions are applied from most specific to least specific. If the UID of a process matches the UID of a file, only the user permissions matter for determining whether access to the file is allowed. If the UIDs don't match, but the GID of the process matches the GID of the file, then the group permissions are used. If neither the UID or GID match. then the "other" set of permissions are used.
 
Old 02-01-2014, 03:04 PM   #3
jhesse
LQ Newbie
 
Registered: Aug 2006
Posts: 5

Original Poster
Rep: Reputation: 0
As far as I know, a group is a collection of users.
If the uid of a process is in the group of a file with permissions ?6? then the process can access the file.
The fact that the gid of a process is the same as the gid of a file seems irrelevant, it says that both the process group and the file group have the same members.
 
Old 02-01-2014, 03:14 PM   #4
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
The GID of the process doesn't necessarily need to be a group of which the UID of the process is part of... So.. you know, it's not that irrelevant..
 
Old 02-01-2014, 08:09 PM   #5
jhesse
LQ Newbie
 
Registered: Aug 2006
Posts: 5

Original Poster
Rep: Reputation: 0
So what determines if the process can access the file with permissions ?4?
The UID of the process is a member of the GID of the file OR the GID of the process is the same as the GID of the file.
 
Old 02-01-2014, 11:26 PM   #6
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
As I said above, the most specific permission is used. If the UID matches, then the user permissions are used.
 
Old 02-02-2014, 09:32 AM   #7
jhesse
LQ Newbie
 
Registered: Aug 2006
Posts: 5

Original Poster
Rep: Reputation: 0
I think I am not explaining my question properly. Please look below.

The file below, MyFile, has permissions 040 and has group xyz.
The shell is running with uid = joe and gid = xyz.
joe is a member of xyz.
Why can't the shell cat MyFile?
Thank you,
Joe
====================================================
$ grep xyz /etc/group
xyz:x:1006:joe

$ ls -l
total 4
----r----- 1 joe xyz 12 Feb 2 07:24 MyFile

$ newgrp xyz

$ id
uid=1000(joe) gid=1006(xyz) groups=1000(joe),1006(xyz)

$ cat MyFile
cat: MyFile: Permission denied <== WHY? Process gid same as MyFile gid and joe is a member of xyz.
 
Old 02-02-2014, 09:45 AM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
The user "joe" should be able to access a file if the group permissions are "read" and he's a member of the group in question.

Did you add "joe" to the group while he was logged in? If so, the change will not take effect until next login.

If you did log in after adding the user to the group and you still can't access the file, there must be something other than the Unix permissions that keep you from doing so (selinux?).
 
Old 02-02-2014, 12:39 PM   #9
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
@Jhesse, Ser Olmy: You haven't been paying attention... The most specific permissions apply.

That means if the file has the same UID as the running proccess, only those permissions will be applied.. regardless of group or other permissions setting..
The system isn't traversing the file permissions until hitting an allowed or the end. Rather it checks if the UID's match. If they match those permissions are applied whathever they are. Only when the UID's don't match, the GID's will be searched (and if they match, those will be applied)... And finally, if neither owner or group permissions apply, only then "others" permissions will apply.

In your example, any other user from that group can cat the file, joe can't because the file permissions forbids the owner to actually do so. Imagine if you would want a proccess to be able read a specific file (say an http server) but that file would have to get populated by a program that should be available to more than one user on the system (or even everyone, just not the webserver). If httpd (or apache, depending on your system) would be the owner with only read access, you can rest assure that the file can't get written by the apache process by mistake.. Of course, this is just an example.. There can be even more complex things done.. Imagine a write only attribute for specific processes (again, let's go to the web server) so that it can write a chat log, but not read it (weak protection in case of an exploit!? or something)..

However, take care that the owner can run 'chmod' against the file

Simple code to test (assumes umask is a default '022', bash is in /usr/bin/bash and 'ftp' user exists -- this are defaults in many, many distributions)
Code:
cd /tmp
echo "Testing line 1" > test.txt
cat test.txt
chmod u-r test.txt
cat test.txt
echo "Testing line 2" >> test.txt
ls -la test.txt
sudo su -c "cat test.txt" -s /usr/bin/bash ftp
chmod u+r test.txt
cat test.txt
rm test.txt
 
Old 02-02-2014, 01:29 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by Smokey_justme View Post
@Jhesse, Ser Olmy: You haven't been paying attention... The most specific permissions apply.
What I didn't catch, was that the file in question is NOT just owned by a group of which the user is a member, it is ALSO owned by the user in question (as shown in the example in post #7), AND has no user permission bits set. In that case, the user is indeed explicitly denied access regardless of the group permissions.
 
Old 02-03-2014, 06:06 AM   #11
jhesse
LQ Newbie
 
Registered: Aug 2006
Posts: 5

Original Poster
Rep: Reputation: 0
Thank you - my bad. No reply necessary.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to know the UID and GID of a process (Both Real & Effective) techie_san778 Linux - Server 2 05-08-2013 09:31 AM
difference between gid and effective gid zahidul Linux - Newbie 1 10-01-2008 11:44 AM
How to start a process with specific uid/gid during bootup? senthilpr_in Linux - Software 5 05-24-2007 12:22 AM
Linux/Solaris, PC-Netlink, UID's and GID's EarlMosier Solaris / OpenSolaris 2 09-19-2003 12:54 PM


All times are GMT -5. The time now is 05:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration