Linux C学习小总结(三)- 你可能不知道的Unix文件安全策略
前言:以下表格中的内容部分出自《Advanced Programming in the UNIX® Environment: Second Edition》,部分由自己翻译。这里对部分小节(主要是第四章)中,涉及到的Unix系统的安全策略进行归纳整理。
| When | How |
| 文件的读写执行权限 | 见我的上一篇文章:Linux C学习小总结(二)- 文件与目录(文件夹)权限的区别 |
| The file access tests that the kernel performs each time a process opens, creates, or deletes a file(右边为进程打开、创建、删除文件时,系统内核进行的权限检验步骤) | 1. If the effective user ID of the process is 0 (the superuser), access is allowed. This gives the superuser free rein throughout the entire file system. 2. If the effective user ID of the process equals the owner ID of the file (i.e., the process owns the file), access is allowed if the appropriate user access permission bit is set. Otherwise, permission is denied. By appropriate access permission bit, we mean that if the process is opening the file for reading, the user-read bit must be on. If the process is opening the file for writing, the user-write bit must be on. If the process is executing the file, the user-execute bit must be on. 3. If the effective group ID of the process or one of the supplementary group IDs of the process equals the group ID of the file, access is allowed if the appropriate group access permission bit is set. Otherwise, permission is denied. 4. If the appropriate other access permission bit is set, access is allowed. Otherwise, permission is denied. These four steps are tried in sequence. Note that if the process owns the file (step 2), access is granted or denied based only on the user access permissions; the group permissions are never looked at. Similarly, if the process does not own the file, but belongs to an appropriate group, access is granted or denied based only on the group access permissions; the other permissions are not looked at. (1.是否为超级管理员 2.是否为文件所有者,且文件设置有相应的(User)读写执行bit 3.是否属于文件所在的组,且文件设置有相应的(Group)读写执行bit 4. 文件设置有相应的其他用户(other)读写执行bit 上述四个步骤只要满足一个就可以成功返回了。) |
| When creating of a new file using either open or creat(新文件的创建) | The user ID of a new file is set to the effective user ID of the process. POSIX.1 allows an implementation to choose one of the following options to determine the group ID of a new file. 1. The group ID of a new file can be the effective group ID of the process. 2. The group ID of a new file can be the group ID of the directory in which the file is being created. (新文件的组ID根据系统实现而决定,为以下两种情况: 1.新文件的组ID=进程的有效组ID 2.新文件的组ID=新文件所在目录的组ID) |
| chmod and fchmod Functions(修改文件的访问权限) | To change the permission bits of a file, the effective user ID of the process must be equal to the owner ID of the file, or the process must have superuser permissions.(此函数用于修改文件的访问权限bit,进程必须具有超级管理员或文件所有者权限。) |
|
| The chmod functions automatically clear two of the permission bits under the following conditions(chmod函数会清除文件的两个bit): 1. On systems, such as Solaris, that place special meaning on the sticky bit when used with regular files, if we try to set the sticky bit (S_ISVTX) on a regular file and do not have superuser privileges, the sticky bit in the mode is automatically turned off. (We describe the sticky bit in the next section.) This means that only the superuser can set the sticky bit of a regular file. The reason is to prevent malicious users from setting the sticky bit and adversely affecting system performance.(当要设置sticky bit,且没有超级管理员权限时,sticky bit自动关闭) 2. It is possible that the group ID of a newly created file is a group that the calling process does not belong to. Recall from Section 4.6 that it's possible for the group ID of the new file to be the group ID of the parent directory. Specifically, if the group ID of the new file does not equal either the effective group ID of the process or one of the process's supplementary group IDs and if the process does not have superuser privileges, then the set-group-ID bit is automatically turned off. This prevents a user from creating a set-group-ID file owned by a group that the user doesn't belong to.(如上面“新文件的创建”所述,新创建文件的组I D可能不是调用进程所属的组——新文件的组I D可能是父目录的组I D。特别地,如果新文件的组I D不等于进程的有效组I D或者进程添加组I D中的一个,以及进程没有超级用户的权限,那么set-group-ID位自动被关闭。这就防止了用户创建一个set-group-ID文件,而该文件是由并非该用户所属的组拥有的。) |
| chown, fchown和lchown函数(修改文件的所有者ID或所属组ID) | Historically, BSD-based systems have enforced the restriction that only the superuser can change the ownership of a file.This is to prevent users from giving away their files to others, thereby defeating any disk space quota restrictions. System V, however, has allowed any user to change the ownership of any files they own.(基于BSD的系统一直规定只有超级用户才能更改一个文件的所有者。这样做的原因是防止用户改变其文件的所有者从而摆脱磁盘空间限额对他们的限制。系统 V则允许任一用户更改他们所拥有的文件的所有者。) POSIX.1 allows either form of operation, depending on the value of _POSIX_CHOWN_RESTRICTED.(POSIX.1标准允许以上两种形式的任意一种,取决于 _POSIX_CHOWN_RESTRICTED) With Solaris 9, this functionality is a configuration option, whose default value is to enforce the restriction(在Solaris 9中,这是可设置的,默认值是启动限制——即_POSIX_CHOWN_RESTRICTED). FreeBSD 5.2.1, Linux 2.4.22, and Mac OS X 10.3 always enforce the chown restriction(FreeBSD 5.2.1, Linux 2.4.22, and Mac OS X 10.3总是执行这种限制). If _POSIX_CHOWN_RESTRICTED is in effect for the specified file, then 1. Only a superuser process can change the user ID of the file.(只有超级管理员可以改变文件的所有者ID) 2. A nonsuperuser process can change the group ID of the file if the process owns the file (the effective user ID equals the user ID of the file), owner is specified as 1 or equals the user ID of the file, and group equals either the effective group ID of the process or one of the process's supplementary group IDs.(非超级管理员进程能够改变文件的组ID的情况为:只要进程拥有该文件,即进程的有效用户ID等于文件所有者ID,owner参数被指定为1或者等于文件所有者ID,group参数等于有效组ID或补充组ID中的一个。) This means that when _POSIX_CHOWN_RESTRICTED is in effect, you can't change the user ID of other users' files. You can change the group ID of files that you own, but only to groups that you belong to.(这表示当指定了_POSIX_CHOWN_RESTRICTED时,你不能修改别人的文件的所有者ID。你可以修改你拥有的文件的组ID,但仅限于你所属的组) If these functions are called by a process other than a superuser process, on successful return, both the set-user-ID and the set-group-ID bits are cleared. (如果两个函数被没有超级管理员权限的进程调用,当返回的时候set-user-ID和set-group-ID会被清空) |
| unlink Functions(解除文件连接函数,后面称文件删除) | We've mentioned before that to unlink a file, we must have write permission and execute permission in the directory containing the directory entry, as it is the directory entry that we will be removing. (一、一般的删除文件的情况,只要有目录的写、执行权限就可以了,由于要删除目录中的目录项) Also, we mentioned in Section 4.10 that if the sticky bit is set in this directory we must have write permission for the directory and one of the following: 1.Own the file 2.Own the directory 3.Have superuser privileges (二、sticky bit被设置的情况下删除文件,必须拥有文件所在目录的写权限,而且还应具有以下三个权限中的一个: 1.拥有该文件 2.拥有该文件所在的目录 3.拥有超级管理员权限) |
| utime Function(一个文件的存取和修改时间可以用u t i m e函数更改。) | The operation of this function, and the privileges required to execute it, depend on whether the times argument is NULL.(这个函数的所需要的权限,是根据times参数是否为NULL来决定) 1. If times is a null pointer, the access time and the modification time are both set to the current time. To do this, either the effective user ID of the process must equal the owner ID of the file, or the process must have write permission for the file.(当times为空时,文件的access time和modification time均被设置为当前时间。为了执行此操作必须满足下列两条件之一:( a )进程的有效用户I D必须等于该文件的所有者I D,( b )进程对该文件必须具有写许可权。) 2. If times is a non-null pointer, the access time and the modification time are set to the values in the structure pointed to by times. For this case, the effective user ID of the process must equal the owner ID of the file, or the process must be a superuser process. Merely having write permission for the file is not adequate.(当times不为空时,文件的access time和modification time被设置成times结构体中所指定的值。此时,进程的有效用户I D必须等于该文件的所有者I D,或者进程必须是一个超级用户进程。对文件只具有写许可权是不够的。) Note that we are unable to specify a value for the changed-status time, st_ctimethe time the i-node was last changedas this field is automatically updated when the utime function is called. (注意,我们不能对更改状态时间st_ctime指定一个值,当调用utime函数时,此字段被自动更新。) |
