mirror of https://github.com/mkerrisk/man-pages
Consistent use of "set-user-ID" and "set-group-ID".
This commit is contained in:
parent
da2d9dad4e
commit
880f5b4bc3
12
Changes
12
Changes
|
@ -8,14 +8,18 @@ Contributors
|
|||
The following people contributed notes, ideas, or patches that have
|
||||
been incorporated in changes in this release:
|
||||
|
||||
### Andries Brouwer <Andries.Brouwer@cwi.nl>
|
||||
Andries Brouwer <Andries.Brouwer@cwi.nl>
|
||||
### Joey (Martin) Schulze <joey@infodrom.org>
|
||||
Mike Frysinger <vapier@gentoo.org>
|
||||
|
||||
Apologies if I missed anyone!
|
||||
|
||||
Global changes
|
||||
--------------
|
||||
|
||||
The terms "set-user-ID" and "set-group-ID" are now used consistently
|
||||
(no abbreviations) accorss all manual pages.
|
||||
|
||||
Typographical or grammatical errors have been corrected in several
|
||||
places.
|
||||
|
||||
|
@ -27,3 +31,9 @@ New pages
|
|||
|
||||
Changes to individual pages
|
||||
---------------------------
|
||||
|
||||
stat.2
|
||||
Mike Frysinger
|
||||
Improve description of st_dev and st_rdev.
|
||||
mtk
|
||||
Various wording and formatting improvements.
|
||||
|
|
12
man1/chmod.1
12
man1/chmod.1
|
@ -56,8 +56,8 @@ sticky bit (t), the permissions that the user
|
|||
who owns the file currently has for it (u), the permissions that other
|
||||
users in the file's group have for it (g), and the permissions that
|
||||
other users not in the file's group have for it (o).
|
||||
(Thus, `chmod g\-s file' removes the set-group-ID (sgid) bit,
|
||||
\&`chmod ug+s file' sets both the suid and sgid bits, while
|
||||
(Thus, `chmod g\-s file' removes the set-group-ID bit,
|
||||
\&`chmod ug+s file' sets both the set-user-ID and set-group-ID bits, while
|
||||
\&`chmod o+s file' does nothing.)
|
||||
.PP
|
||||
The name of the `sticky bit' derives from the original meaning:
|
||||
|
@ -133,7 +133,7 @@ usual meaning.
|
|||
POSIX 1003.2 only requires the \-R option. Use of other options
|
||||
may not be portable. This standard does not describe the 't' permission
|
||||
bit. This standard does not specify whether \fBchmod\fP must preserve
|
||||
consistency by clearing or refusing to set the suid and sgid
|
||||
consistency by clearing or refusing to set the set-user-ID and set-group-ID
|
||||
bits, e.g., when all execute bits are cleared, or whether \fBchmod\fP
|
||||
honors the `s' bit at all.
|
||||
.SH "NONSTANDARD MODES"
|
||||
|
@ -142,8 +142,10 @@ Various systems attach special meanings to otherwise
|
|||
meaningless combinations of mode bits.
|
||||
In particular, Linux, following System V (see
|
||||
System V Interface Definition (SVID) Version 3),
|
||||
lets the sgid bit for files without group execute permission
|
||||
mark the file for mandatory locking. For more details, see
|
||||
uses the combination of having the set-group-ID bit enabled
|
||||
while group execute bit is disabled to mean that
|
||||
mandatory locking is enabled for the file.
|
||||
For more details, see
|
||||
the file
|
||||
.IR /usr/src/linux/Documentation/mandatory.txt .
|
||||
.SH NOTES
|
||||
|
|
|
@ -86,10 +86,10 @@ Only copy upon an affirmative answer.)
|
|||
.TP
|
||||
.B \-p
|
||||
Preserve the original files' owner, group, permissions
|
||||
(including the setuid and setgid bits), time of last modification
|
||||
(including the set-user-ID and set-group-ID bits), time of last modification
|
||||
and time of last access.
|
||||
In case duplication of owner or group fails, the setuid and setgid
|
||||
bits are cleared.
|
||||
In case duplication of owner or group fails,
|
||||
the set-user-ID and set-group-ID bits are cleared.
|
||||
(Note that afterwards source and copy may well have different
|
||||
times of last access, since the copy operation is an access
|
||||
to the source file.)
|
||||
|
|
|
@ -222,12 +222,12 @@ combines multiple bits into the third character of each set of permissions
|
|||
.RS
|
||||
.TP
|
||||
.B s
|
||||
If the setuid or setgid bit and the corresponding executable bit are
|
||||
both set.
|
||||
If the set-user-ID or set-group-ID bit and the corresponding
|
||||
executable bit are both set.
|
||||
.TP
|
||||
.B S
|
||||
If the setuid or setgid bit is set but the corresponding executable bit
|
||||
is not set.
|
||||
If the set-user-ID or set-group-ID bit is set
|
||||
but the corresponding executable bit is not set.
|
||||
.TP
|
||||
.B t
|
||||
If the sticky bit and the other-executable bit are both set.
|
||||
|
|
|
@ -56,8 +56,9 @@ When they are on different filesystems, the source file is copied
|
|||
and then deleted.
|
||||
.B mv
|
||||
will copy modification time, access time, user and group ID, and mode
|
||||
if possible. When copying user and/or group ID fails, the setuid and
|
||||
setgid bits are cleared in the copy.
|
||||
if possible.
|
||||
When copying user and/or group ID fails, the set-user-ID and
|
||||
set-group-ID bits are cleared in the copy.
|
||||
.SH "POSIX OPTIONS"
|
||||
.TP
|
||||
.B "\-f"
|
||||
|
|
|
@ -77,7 +77,8 @@ links encountered on the way.
|
|||
The check is done with the process's
|
||||
.I real
|
||||
UID and GID, rather than with the effective IDs as is done when
|
||||
actually attempting an operation. This is to allow set-UID programs to
|
||||
actually attempting an operation.
|
||||
This is to allow set-user-ID programs to
|
||||
easily determine the invoking user's authority.
|
||||
|
||||
Only access bits are checked, not the file type or contents. Therefore, if
|
||||
|
|
|
@ -64,10 +64,10 @@ The SIGCHLD signal (when set to SIG_IGN) may or may not be reset to SIG_DFL.
|
|||
If the current program is being ptraced, a \fBSIGTRAP\fP is sent to it
|
||||
after a successful \fBexecve()\fP.
|
||||
|
||||
If the set-uid bit is set on the program file pointed to by
|
||||
If the set-user-ID bit is set on the program file pointed to by
|
||||
\fIfilename\fP, and the calling process is not being ptraced,
|
||||
then the effective user ID of the calling process is changed
|
||||
to that of the owner of the program file. Similarly, when the set-gid
|
||||
to that of the owner of the program file. Similarly, when the set-group-ID
|
||||
bit of the program file is set the effective group ID of the calling
|
||||
process is set to the group of the program file.
|
||||
|
||||
|
|
|
@ -335,7 +335,7 @@ To make use of mandatory locks, mandatory locking must be enabled
|
|||
.BR mount (8))
|
||||
for the file system containing the
|
||||
file to be locked and enabled on the file itself (by disabling
|
||||
group execute permission on the file and enabling the set-GID
|
||||
group execute permission on the file and enabling the set-group-ID
|
||||
permission bit).
|
||||
|
||||
Advisory locks are not enforced and are useful only between
|
||||
|
|
12
man2/mount.2
12
man2/mount.2
|
@ -138,10 +138,10 @@ Do not allow programs to be executed from this file system.
|
|||
.\" users cannot execute files uploaded using ftp or so.)
|
||||
.TP
|
||||
.B MS_NOSUID
|
||||
Do not honour set-UID and set-GID bits when executing
|
||||
Do not honour set-user-ID and set-group-ID bits when executing
|
||||
programs from this file system.
|
||||
.\" (This is a security feature to prevent users executing set-UID and
|
||||
.\" set-GID programs from removable disk devices.)
|
||||
.\" (This is a security feature to prevent users executing set-user-ID and
|
||||
.\" set-group-ID programs from removable disk devices.)
|
||||
.TP
|
||||
.B MS_RDONLY
|
||||
Mount file system read-only.
|
||||
|
@ -348,13 +348,13 @@ in more than one place, so specifying the device does not suffice).
|
|||
The original MS_SYNC flag was renamed MS_SYNCHRONOUS in 1.1.69
|
||||
when a different MS_SYNC was added to <mman.h>.
|
||||
.LP
|
||||
Before Linux 2.4 an attempt to execute a set-UID or set-GID program
|
||||
Before Linux 2.4 an attempt to execute a set-user-ID or set-group-ID program
|
||||
on a filesystem mounted with
|
||||
.B MS_NOSUID
|
||||
would fail with
|
||||
.BR EPERM .
|
||||
Since Linux 2.4 the set-UID and set-GID bits are just silently ignored
|
||||
in this case.
|
||||
Since Linux 2.4 the set-user-ID and set-group-ID bits are
|
||||
just silently ignored in this case.
|
||||
.\" The change is in patch-2.4.0-prerelease.
|
||||
.SH "SEE ALSO"
|
||||
.BR path_resolution (2),
|
||||
|
|
|
@ -64,8 +64,8 @@ Set the state of the flag determining whether core dumps are produced
|
|||
for this process upon delivery of a signal whose default behaviour is
|
||||
to produce a core dump.
|
||||
(Normally this flag is set for a process by default, but it is cleared
|
||||
when a set-UID or set-GID program is executed and also by various system
|
||||
calls that manipulate process UIDs and GIDs).
|
||||
when a set-user-ID or set-group-ID program is executed and also by
|
||||
various system calls that manipulate process UIDs and GIDs).
|
||||
.I arg2
|
||||
must be either 0 (process is not dumpable) or 1 (process is dumpable).
|
||||
.TP
|
||||
|
|
|
@ -248,8 +248,9 @@ The specified process cannot be traced. This could be because the
|
|||
parent has insufficient privileges (the required capability is
|
||||
.BR CAP_SYS_PTRACE );
|
||||
non-root processes cannot trace processes that they
|
||||
cannot send signals to or those running setuid/setgid programs, for obvious
|
||||
reasons. Alternatively, the process may already be being traced, or be
|
||||
cannot send signals to or those running set-user-ID/set-group-ID programs,
|
||||
for obvious reasons.
|
||||
Alternatively, the process may already be being traced, or be
|
||||
.BR init
|
||||
(pid 1).
|
||||
.TP
|
||||
|
|
|
@ -41,7 +41,8 @@ superuser, the real and saved group ID's are also set.
|
|||
Under Linux,
|
||||
.B setgid
|
||||
is implemented like the POSIX version with the _POSIX_SAVED_IDS feature.
|
||||
This allows a setgid program that is not suid root to drop all of its group
|
||||
This allows a set-group-ID program that is not set-user-ID-root root
|
||||
to drop all of its group
|
||||
privileges, do some un-privileged work, and then re-engage the original
|
||||
effective group ID in a secure manner.
|
||||
.SH "RETURN VALUE"
|
||||
|
|
|
@ -43,11 +43,11 @@ the real and saved user ID's are also set.
|
|||
Under Linux,
|
||||
.B setuid
|
||||
is implemented like the POSIX version with the _POSIX_SAVED_IDS feature.
|
||||
This allows a setuid (other than root) program to drop all of its user
|
||||
This allows a set-user-ID (other than root) program to drop all of its user
|
||||
privileges, do some un-privileged work, and then re-engage the original
|
||||
effective user ID in a secure manner.
|
||||
.PP
|
||||
If the user is root or the program is setuid root, special care must be
|
||||
If the user is root or the program is set-user-ID-root, special care must be
|
||||
taken. The
|
||||
.B setuid
|
||||
function checks the effective user ID of the caller and if it is
|
||||
|
@ -56,7 +56,7 @@ the superuser, all process related user ID's are set to
|
|||
After this has occurred, it is impossible for the program to regain root
|
||||
privileges.
|
||||
.PP
|
||||
Thus, a setuid-root program wishing to temporarily drop root
|
||||
Thus, a set-user-ID-root program wishing to temporarily drop root
|
||||
privileges, assume the identity of a non-root user, and then regain
|
||||
root privileges afterwards cannot use
|
||||
.BR setuid .
|
||||
|
|
|
@ -80,7 +80,7 @@ Bits defined by POSIX are
|
|||
Read-only file system.
|
||||
.TP
|
||||
.B ST_NOSUID
|
||||
Setuid/setgid bits are ignored by
|
||||
Set-user-ID/set-group-ID bits are ignored by
|
||||
.BR exec (2).
|
||||
.LP
|
||||
|
||||
|
|
|
@ -69,7 +69,8 @@ the extended part reads as zero bytes.
|
|||
The file pointer is not changed.
|
||||
.LP
|
||||
If the size changed, then the ctime and mtime fields for the file
|
||||
are updated, and suid and sgid mode bits may be cleared.
|
||||
are updated,
|
||||
and set-user-ID and set-group-ID permission bits may be cleared.
|
||||
.LP
|
||||
With
|
||||
.BR ftruncate ,
|
||||
|
|
|
@ -88,8 +88,8 @@ If the environment variable
|
|||
.BR LD_LIBRARY_PATH
|
||||
is defined to contain a colon-separated list of directories,
|
||||
then these are searched.
|
||||
(As a security measure this variable is ignored for set-UID and
|
||||
set-GID programs.)
|
||||
(As a security measure this variable is ignored for set-user-ID and
|
||||
set-group-ID programs.)
|
||||
.IP o
|
||||
(ELF only) If the executable file for the calling program
|
||||
contains a DT_RUNPATH tag, then the directories listed in that tag
|
||||
|
|
|
@ -64,7 +64,7 @@ declared in \fBstdio.h\fP.
|
|||
.PP
|
||||
These functions let your program identify positively the user who is
|
||||
running (\fBcuserid\fP) or the user who logged in this session
|
||||
(\fBgetlogin\fP). (These can differ when setuid programs are
|
||||
(\fBgetlogin\fP). (These can differ when set-user-ID programs are
|
||||
involved.)
|
||||
.PP
|
||||
For most purposes, it is more useful to use the environment variable
|
||||
|
|
|
@ -50,7 +50,7 @@ POSIX 1003.1-2001
|
|||
.SH NOTES
|
||||
This is part of the Unix98 pty support, see
|
||||
.BR pts (4).
|
||||
Many systems implement this function via a setuid helper binary
|
||||
Many systems implement this function via a set-user-ID helper binary
|
||||
called "pt_chown". With Linux devpts no such helper binary is required.
|
||||
.SH "SEE ALSO"
|
||||
.BR open (2),
|
||||
|
|
|
@ -103,7 +103,7 @@ to check the exit status of the child. E.g.
|
|||
.PP
|
||||
Do not use
|
||||
.BR system ()
|
||||
from a program with set-UID or set-GID privileges,
|
||||
from a program with set-user-ID or set-group-ID privileges,
|
||||
because strange values for some environment variables
|
||||
might be used to subvert system integrity.
|
||||
Use the
|
||||
|
@ -113,8 +113,8 @@ family of functions instead, but not
|
|||
or
|
||||
.BR execvp (3).
|
||||
.BR system ()
|
||||
will not, in fact, work properly from programs with set-UID or set-GID
|
||||
privileges on systems on which
|
||||
will not, in fact, work properly from programs with set-user-ID or
|
||||
set-group-ID privileges on systems on which
|
||||
.I /bin/sh
|
||||
is bash version 2, since bash 2 drops privileges on startup.
|
||||
(Debian uses a modified bash which does not do this when invoked as
|
||||
|
|
|
@ -67,7 +67,7 @@ Allocation of storage failed.
|
|||
.LP
|
||||
.SH NOTES
|
||||
SUSv2 does not mention the use of TMPDIR; glibc will use it only
|
||||
when the program is not suid.
|
||||
when the program is not set-user-ID.
|
||||
SVID2 specifies that the directory used under (iv) is
|
||||
.IR /tmp .
|
||||
SVID2 specifies that the string returned by
|
||||
|
|
|
@ -272,7 +272,7 @@ the capabilities that the process may assume
|
|||
(i.e., a limiting superset for the effective and inheritable sets).
|
||||
If a process drops a capability from its permitted set,
|
||||
it can never re-acquire that capability (unless it execs a
|
||||
set-UID-root program).
|
||||
set-user-ID-root program).
|
||||
.TP
|
||||
.IR inheritable :
|
||||
the capabilities preserved across an
|
||||
|
@ -281,7 +281,7 @@ the capabilities preserved across an
|
|||
In the current implementation, a process is granted all permitted and
|
||||
effective capabilities (subject to the operation of the
|
||||
capability bounding set described below)
|
||||
when it execs a set-UID-root program,
|
||||
when it execs a set-user-ID-root program,
|
||||
or if a process with a real UID of zero execs a new program.
|
||||
.PP
|
||||
A child created via
|
||||
|
@ -360,12 +360,12 @@ support file capability sets, during an exec:
|
|||
.IP 1. 4
|
||||
All three file capability sets are initially assumed to be cleared.
|
||||
.IP 2. 4
|
||||
If a set-UID-root program is being execed,
|
||||
If a set-user-ID-root program is being execed,
|
||||
or the real user ID of the process is 0 (root)
|
||||
then the file allowed and forced sets are defined to be all ones
|
||||
(i.e., all capabilities set).
|
||||
.IP 3. 4
|
||||
If a set-UID-root program is being executed,
|
||||
If a set-user-ID-root program is being executed,
|
||||
then the file effective set is defined to be all ones.
|
||||
.PP
|
||||
During an exec, the kernel calculates the new capabilities of
|
||||
|
|
|
@ -191,7 +191,7 @@ However, the resulting process has the same PID as the thread that called
|
|||
it should have the same PID as the main thread.
|
||||
.IP \- 3
|
||||
Threads do not share user and group IDs.
|
||||
This can cause complications with set-UID programs and
|
||||
This can cause complications with set-user-ID programs and
|
||||
can cause failures in Pthreads functions if an application
|
||||
changes its credentials using
|
||||
.BR seteuid (2)
|
||||
|
|
15
man8/ld.so.8
15
man8/ld.so.8
|
@ -39,8 +39,8 @@ Use of DT_RPATH is deprecated.
|
|||
.IP o
|
||||
Using the environment variable
|
||||
.BR LD_LIBRARY_PATH .
|
||||
Except if the executable is a setuid/setgid binary, in which case it
|
||||
is ignored.
|
||||
Except if the executable is a set-user-ID/set-group-ID binary,
|
||||
in which case it is ignored.
|
||||
.IP o
|
||||
(ELF only) Using the DT_RUNPATH dynamic section attribute
|
||||
of the binary if present.
|
||||
|
@ -103,8 +103,9 @@ environment variable.
|
|||
A whitespace-separated list of additional, user-specified, ELF shared
|
||||
libraries to be loaded before all others.
|
||||
This can be used to selectively override functions in other shared libraries.
|
||||
For setuid/setgid ELF binaries, only libraries in the standard search
|
||||
directories that are also setuid will be loaded.
|
||||
For set-user-ID/set-group-ID ELF binaries,
|
||||
only libraries in the standard search
|
||||
directories that are also set-user-ID will be loaded.
|
||||
.TP
|
||||
.B LD_BIND_NOW
|
||||
(libc5; glibc since 2.1.1)
|
||||
|
@ -152,7 +153,7 @@ environment variable.
|
|||
File where
|
||||
.B LD_DEBUG
|
||||
output should be fed into, default is standard output.
|
||||
LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries.
|
||||
LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries.
|
||||
.TP
|
||||
.B LD_VERBOSE
|
||||
(glibc since 2.1)
|
||||
|
@ -174,7 +175,7 @@ Shared object to be profiled.
|
|||
File where
|
||||
.B LD_PROFILE
|
||||
output should be stored, default is standard output.
|
||||
LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries.
|
||||
LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries.
|
||||
.TP
|
||||
.B LD_AOUT_LIBRARY_PATH
|
||||
(libc5)
|
||||
|
@ -196,7 +197,7 @@ Mask for hardware capabilities.
|
|||
.TP
|
||||
.B LD_ORIGIN_PATH
|
||||
(glibc since 2.1)
|
||||
Path where the binary is found (for non-setuid programs).
|
||||
Path where the binary is found (for non-set-user-ID programs).
|
||||
.TP
|
||||
.B LD_DYNAMIC_WEAK
|
||||
(glibc since 2.1.91)
|
||||
|
|
Loading…
Reference in New Issue