有效的UID不会对kill命令生效

时间:2014-08-11 14:36:37

标签: c privileges setuid

我正在尝试了解用户ID /有效用户ID。当我切换到用户(在这个示例中为apache)时,我仍然可以向在根UID下运行的程序发送SIGKILL信号。

输出示例:

[root@devserv ~]# ./testsuid
Real UID        = 0
Effective UID   = 0
Real GID        = 0
Effective GID   = 0


Real UID        = 0
Effective UID   = 102
Real GID        = 0
Effective GID   = 501


Real UID        = 0
Effective UID   = 0
Real GID        = 0
Effective GID   = 0

这里是我正在执行的代码:

[root@devserv ~]# cat test.c
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/file.h>

static uid_t euid, ruid;
static gid_t egid, rgid;

void do_setuid (void) {
    int status;
    int statusgid;

    #ifdef _POSIX_SAVED_IDS
        status = setegid (egid);
        statusgid = seteuid (euid);
    #else
        status = setregid (rgid, egid);
        statusgid = setreuid (ruid, euid);
    #endif
    if (status < 0) {
        fprintf (stderr, "Couldn't set uid.\n");
        exit (status);
    }
    if (statusgid < 0) {
        fprintf (stderr, "Couldn't set gid.\n");
        exit (status);
    }
}


void undo_setuid (void) {
    int status;

    #ifdef _POSIX_SAVED_IDS
        status = seteuid (ruid);
        status = setegid (rgid);
    #else
        status = setreuid (euid, ruid);
        status = setregid (egid, rgid);
    #endif
    if (status < 0) {
        fprintf (stderr, "Couldn't set uid.\n");
        exit (status);
    }
}


int main(void)
{
    ruid = 0;
    euid = 102;
    rgid = 0;
    egid = 501;
    undo_setuid ();

    printf("Real UID\t= %d\n", getuid());
    printf("Effective UID\t= %d\n", geteuid());
    printf("Real GID\t= %d\n", getgid());
    printf("Effective GID\t= %d\n", getegid());

    do_setuid ();

    printf("\n\nReal UID\t= %d\n", getuid());
    printf("Effective UID\t= %d\n", geteuid());
    printf("Real GID\t= %d\n", getgid());
    printf("Effective GID\t= %d\n", getegid());

    kill(27279, SIGKILL);

    undo_setuid();

    printf("\n\nReal UID\t= %d\n", getuid());
    printf("Effective UID\t= %d\n", geteuid());
    printf("Real GID\t= %d\n", getgid());
    printf("Effective GID\t= %d\n", getegid());


    return EXIT_SUCCESS;
}

我纳米过程的结果:

[root@devserv ~]# strace -p 27279
Process 27279 attached - interrupt to quit
read(0,  <unfinished ...>
+++ killed by SIGKILL +++

现在的问题是:

如果有效UID为102的进程如何杀死以root身份运行的进程?

1 个答案:

答案 0 :(得分:2)

来自man 2 kill(强调我的):

  

对于有权发送信号的进程,必须具有特权(在Linux下:具有CAP_KILL功能),或者发送进程的真实或有效用户ID < / strong>必须等于目标进程的实际或已保存的set-user-ID。

换句话说,尽管有效UID为102,但它的实际 UID仍为0,因此它可以将SIGKILL发送到根进程。

相关问题
最新问题