Why many servers change its uid and gid,what's the benefit?
I see such logic in many open source projects:
if (setuid() == 0) {
if (setgid(ccf->group) == -1) {
...
if (initgroups(ccf->username, ccf->group) == -1) {
I have 2 questions on this:
- What's the benifit to change to another gid and uid?
- And what's
initgroups
for? IMO,to change gid and uid开发者_开发知识库,setuid()
andsetgid()
will be enough.
Most of the time, system daemons are spawned by init scripts and therefore run as root
. Calling setuid()
and setgid()
allows them to drop their superuser privileges and impersonate another user on the system (generally far less powerful than root
). That way, bugs and security holes become less lethal to the system.
Concerning the second part of your question, initgroups() is called to reinitialize the group access list and add ccf->group
to the list of groups that ccf->username
belongs to. That's probably done because calling setgid()
is not sufficient for the access rights associated with the new group to be propagated to the process.
Generally, you need administrative permission to listen on ports 1023 and below. (There are other reasons to start as administrator, but that's the big one.) But here's the thing: You can start as administrator, bind the socket, then drop down to be a user.
Now, why would you want to be a user? Well, if you run with the smallest amount of permissions possible, and your program is compromised, then the damage will be contained.
On some OS setgid()
toasts the supplementary groups. Calling initgroups()
before setgid()
is thus ineffective.
精彩评论