open.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Open Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com
User Groups
LINUX TIPS AND TRICKS --- 08/30/2002

Danny Kalev

Supplemental Groups
Linux uses the security mechanism of users and groups originally developed for Unix. Under this model, each user has a user id (uid) and a group id (gid). uids and gids are integer values that are mapped to symbolic names in /etc/passwd and /etc/group, respectively. Originally, Unix systems associated a single gid to a user. This restriction turned out to be problematic when users working in different projects needed to access files of different groups. They were forced to change their gid explicitly every time they accessed a file of a different group. To solve this problem, BSD 4.3 introduced supplemental groups. Under this model, each process still has a primary gid (which is used when the user creates a file, for example). However, it may belong to a set of supplemental groups, too. Security checks that ensure that a process belongs to a certain group now grant access to a file as long as that file's group is included in the user's list of supplemental groups. 

On this topic
Get practical tips, IT news, how-tos, and the best in tech humor.
Moving to Ubuntu Linux
Ubuntu Linux for Non-Geeks
Moving from Windows to Linux, Second Edition
Linux up to speed on mobile devices
Red Hat skips consumer Linux desktop
Novell CEO: Linux for the consumer desktop will take years
Linux replacements for your favorite Windows apps
Linux showing signs of solid growth: IDC study

Manipulating Supplemental Groups
The <sys/param.h> defines the constant NGROUPS_MAX, which specifies how many groups a process may belong to. To set a list of groups for a process, use the setgroups() syscall, which has the following prototype:

int setgroups(size_t num, const gid_t * list);

Only users running as root may call this function. The argument num is the number of groups contained in the array list. A setgroups() call assigns the gids listed in list to the process's supplemental groups.

To obtain a process's list of supplemental groups, use the getgroups() syscall, which has the following prototype:

int getgroups(size_t num, gid_t * list);

The list argument points to an array of gid_t. The getgroups() function fills that array with up to num supplemental gids. A return value of -1 indicates an error. Typically, such an error occurs when list isn't large enough to contain the entire set of supplemental groups. On success, getgroups() returns the number of supplemental groups. As a special case, a num value of 0 causes getgroups() to return the total number of supplemental groups without writing them to list.

 

 Danny Kalev is a system analyst and software engineer with more than 10 years of experience, specializing in C++ and object-oriented analysis and design on various platforms including VMS, DOS, Windows, Unix, and Linux. His technical interests involve code optimization, networking, and distributed computing. He is also a member of the ANSI C++ standardization committee and the author of ANSI/ISO C++ Professional Programmer's Handbook (Que, 1999). Danny can be reached at Danny.Kalev@itworld.com.



Advertisements
Sponsored links
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Top 5 Reasons to Combine App Performance and Security
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Home  Newsletters LINUX TIPS AND TRICKS
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.