4

I wonder where Linux kernel keeps 'ruid' and 'euid'.

Below is what I know about them.

When an user runs a file and the file turns to a process, the process gets to have ruid and euid.

If the file had been set to use setuid, euid of the process would change to user id of the owner of that file, and if not, euid would not change and be the same as ruid.

Then, Linux kernel allows the process to run another process or use other resources in the system according to ruid and euid.

So, I think that means kernel has to keep ruid and euid of each process somewhere in RAM.

I thought the 'somewhere' is in PCB, but PCB block does not have fields for ruid and euid.

I tried to find them in the process file of '/proc' directory, but failed.

Where does Linux keep ruid and euid of running processes?

Joon
  • 53
  • 1
  • 9

1 Answers1

3

Here is an explanation of how it works in new kernels:

  • From user-space point of view, real and effective user ID can be changed using setreuid() syscall. See man 2 setreuid for usage details

  • Kernel is using struct cred for storing UID and EUID

  • Each process has its own struct cred; take a look at .cred field in struct task_struct

  • RUID is stored in .uid field of struct cred; see setreuid() syscall code:

      struct cred *new;
  kuid_t kruid, keuid;
  ...
  kruid = make_kuid(ns, ruid);
  keuid = make_kuid(ns, euid);
  ...
  new->uid = kruid;
  new->euid = keuid;
  ...
  return commit_creds(new);

  • commit_creds() function is actually sets RUID and EUID to current process

See also this answer to get a clue about older kernels: How to get current process's UID and EUID in Linux Kernel 4.2?

Sam Protsenko
  • 14,045
  • 4
  • 59
  • 75
  • Thanks. According to your answer and the links, Linux Kernel uses 'struct cred' to store UID and EUID and the memory area where 'struct cred' is located is Kernel area, so User can reach at that space only using system call such as setreuid and getreuid. Is it right? – Joon Oct 10 '16 at 05:35
  • The only other way how to obtain that information (that I'm aware of), is to look into `/proc/$pid/status` file. But that would be the same data read from kernel. So yes, basically if you want to alter your process' UIDs, you have to do it in kernel space, and the only way to do it is (eventually) using system calls. – Sam Protsenko Oct 10 '16 at 13:22