Linux — Advanced Permissions Management

Tony
5 min readFeb 28, 2024

Process Permissions

Previously, I introduced how human users interact with files and the associated permissions. Now, let’s shift our focus to processes and the various user IDs that are relevant in the context of runtime permissions:

Real UID (User ID)

  • The Real UID is the identifier of the user who initiated the process. It signifies the process’s ownership from the perspective of the human user.
  • A process can ascertain its Real UID using the getuid system call. You can also find it via the shell using stat -c “%u %g” /proc/$pid/.

Effective UID

  • The Linux kernel utilizes the Effective UID to determine a process’s permissions for accessing shared resources like message queues. While traditional UNIX systems use this for file access, Linux historically employed a separate filesystem UID for this purpose (as discussed next), though it still supports the traditional method for compatibility.
  • A process can retrieve its Effective UID through the geteuid system call.

Saved set-user-ID

  • Used particularly in setuid scenarios, Saved set-user-IDs allow a process to adopt privileges by toggling its Effective UID between the Real UID and the Saved set-user-ID.
  • For instance, to utilize certain network ports, a process might require elevated privileges (like running as root), which can be obtained using getresuid.

Filesystem UID

  • A Linux-specific identifier, the Filesystem UID, is used to ascertain permissions for file access. This was originally implemented to accommodate scenarios like a file server acting on behalf of a regular user while shielding the process from signals from that user.
  • Although programs rarely manipulate this UID directly, the kernel monitors changes to the Effective UID and correspondingly adjusts the Filesystem UID. Normally, the Filesystem UID aligns with the Effective UID but can be altered via setfsuid.
  • Note that this UID technically became redundant since Linux kernel version 2.0 but is maintained for backward compatibility.

--

--