1993.1.18
SUBJECT: Execute Permission(setuid, setgid)¿¡ ´ëÇÏ¿©
DESCRIPTION:
0. Permission bitÀÇ format
* fileÀ̳ª directoryÀÇ file type°ú permissionÀº ÇØ´ç 'inode'¿¡ 16 bit word·Î Á¤º¸°¡ ÀúÀåµÈ´Ù.
Permission Á¤º¸¸¦ À§ÇÑ ÇÑ word = 16 bits
|----------------------------------------------------------------------------|
+----------------+ +------------+ +------------+ +------------+ +------------+
| File | | Program | | Owner | | Group | | Others |
| Identification | | Execution | | Permission | | Permission | | Permission |
| Bits | | Bits | | Bits | | Bits | | Bits |
+----------------+ +------------+ +------------+ +------------+ +------------+
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
|------------|
File Execution Triplet
|---------------------------------------------------------|
FileÀÇ mode
1. Program Execution Triplet
* ½ÇÇà(execute) programÀ» '¾î¶² ¹æ½ÄÀ¸·Î ½ÇÇà½Ãų °ÍÀΰ¡'¸¦ Á¤ÀÇÇÒ ¼ö ÀÖ´Ù.
ÀÌ '¾î¶² ¹æ½ÄÀ¸·Î ½ÇÇàÇÒ °ÍÀΰ¡'¸¦ inodeÀÇ 'program execution triplet'¿¡ Á¤ÀÇÇÑ´Ù.
* Program Exedution TripletÀÇ Format
+-------------+------------+---------------+
| setuid | setgid | sticky bit |
+-------------+------------+---------------+
Octal Value 4000 2000 1000
|------------------------------------------|
Total Value 7000
- 4000 : file ½ÇÇà½Ã user ID¸¦ setÇ϶ó´Â ÀǹÌ. set-user-Id mode¶ó ÇÑ´Ù.
¸¸¾à fileÀÌ directory¶ó¸é ¹«½ÃµÈ´Ù.
- 2000 : file ½ÇÇà½Ã group ID¸¦ setÇ϶ó´Â ÀǹÌ. set-group-ID mode¶ó ÇÑ´Ù.
- 1000 : sticky bit¸¦ setÇ϶ó´Â ÀǹÌ
2. Process¿Í °ü·ÃµÈ UID, GID
+-----------------------------+-----------------------------+
| RUID (Real UID) | ½ÇÁ¦(really) ´©±¸Àΰ¡ |
| RGID (Real GID) | |
+-----------------------------+-----------------------------+
| EUID (Effective UID) | file access permissionÀ» |
| EGID (Effective GID) | checkÇϱâ À§ÇØ |
| SGID (Supplementary GID) | »ç¿ëµÊ |
+-----------------------------+-----------------------------+
* RUID, RGID : »ç¿ëÀÚ°¡ ½ÇÁ¦ ´©±¸Àΰ¡¸¦ ½Äº°ÇÑ´Ù.
À̵éÀÇ °ªÀº login½Ã password file¿¡¼ ¾ò¾îÁø´Ù.
* EUID, EGID, SGID : file access permissionÀ» °áÁ¤ÇÑ´Ù.
Áï OS°¡ processÀÇ file¿¡ ´ëÇÑ access permissionÀ» °áÁ¤Çϴµ¥ »ç¿ëÇÑ´Ù.
security¿Í °ü·ÃµÊ
* ½ÇÇà fileÀÌ ½ÇÇàµÇ¸é process°¡ »ý¼ºµÈ´Ù.
ÀÌ ½ÇÇà file¿¡ others execute permissionÀÌ ÀÖ¾î owner°¡ ¾Æ´Ñ
´Ù¸¥ user°¡ ÀÌ fileÀ» ½ÇÇàÇÏ´Ù writeÇØ¾ß ÇÏ´Â °æ¿ì¸¦ ó¸®ÇØ¾ß ÇÑ´Ù¸é
process¿Í ½ÇÇà file°£¿¡ ¹«¾ùÀΰ¡ ±³°¨ÇÒ ¼ö ÀÖ´Â Åë·Î°¡ ÇÊ¿ä ÇÒ °Í.
ÀÌ ¶§ »ç¿ëµÇ´Â °ÍÀÌ EUID/EGIDÀÌ´Ù.
* ´ë°³ EUID/EGID´Â RUID/RGID¿Í µ¿ÀÏÇÏ´Ù.
¸ðµç fileÀº ÇÑ owner¿Í ÇÑ group owner¸¦ °¡Áø´Ù.
½ÇÇà programÀ» ½ÇÇàÇßÀ» ¶§, processÀÇ EUID/EGID´Â ´ë°³ RUID/RGIDÀÌ´Ù.
* ±×·¯³ª "ÀÌ fileÀÌ ½ÇÇàµÉ ¶§, ±× processÀÇ EUID°¡ file owner°¡ µÇµµ·Ï setting Ç϶ó"´Â
½ÄÀ¸·Î fileÀÇ execution triplet¿¡ 'special flag'¸¦ settingÇÒ ¼ö ÀÖ´Ù.
ºñ½ÁÇÑ ¹æ¹ýÀ¸·Î EGID°¡ fileÀÇ group owner°¡ µÇµµ·Ï ÇÒ ¼ö ÀÖ´Ù.
ÀÌ·¸°Ô settingµÇ´Â bit¸¦ "set-user-ID bit", "set-group-ID bit"¶ó ÇÑ´Ù.
* ¿¹¸¦ µé¾î, fileÀÇ owner°¡ superuserÀÌ°í
fileÀÌ ser-user-ID bit°¡ settingµÇ¾î ÀÖ´Ù¸é
±× fileÀÌ process·Î¼ ½ÇÇàµÇ´Â µ¿¾È ±× process´Â superuserÀÇ ±ÇÇÑÀ» °¡Áø´Ù.
ÀÌ´Â ±× fileÀ» ½ÇÇàÇÑ processÀÇ RUID°¡ ¹«¾ùÀ̾ »ó°ü ¾ø´Ù.
Revision History
Created on Jan. 18 ,1993