我可以假设没有人是 65534 吗?
Can I assume that nobody is 65534?
我正在编写一个 setuid root 程序。这个程序需要打开一个用于写入的文件,然后写入一些内容。它只需要 euid 0 打开文件,然后它可以删除权限。
要取消权限,我可以将 seteuid 设置为当前的 uid。但我在考虑切换到 nobody:nogroup.
现在,我想知道:我可以假设每个系统上的 nobody 都是 65534(并且 nogroup 也是 65534)吗?它是由某些标准定义的吗(POSIX,也许)?
你不能。 nobody has had at least a few different IDs across distros and time:
Historically, the user “nobody” was assigned UID -2 by several
operating systems, although other values such as 2^(15)−1 = 32,767 are
also in use, such as by OpenBSD. For compatibility between 16-bit
and 32-bit UIDs, many Linux distributions now set it to be 2^(16)−2 =
65,534; the Linux kernel defaults to returning this value when a
32-bit UID does not fit into the return value of the 16-bit system
calls. An alternative convention assigns the last UID of the range
statically allocated for system use (0-99) to nobody: 99.
也许你可以使用 /proc/sys/fs/overflowuid 的值。
不知道是不是和“nobody”的UID一样。不过应该能满足你的需求。
我正在编写一个 setuid root 程序。这个程序需要打开一个用于写入的文件,然后写入一些内容。它只需要 euid 0 打开文件,然后它可以删除权限。
要取消权限,我可以将 seteuid 设置为当前的 uid。但我在考虑切换到 nobody:nogroup.
现在,我想知道:我可以假设每个系统上的 nobody 都是 65534(并且 nogroup 也是 65534)吗?它是由某些标准定义的吗(POSIX,也许)?
你不能。 nobody has had at least a few different IDs across distros and time:
Historically, the user “nobody” was assigned UID -2 by several operating systems, although other values such as 2^(15)−1 = 32,767 are also in use, such as by OpenBSD. For compatibility between 16-bit and 32-bit UIDs, many Linux distributions now set it to be 2^(16)−2 = 65,534; the Linux kernel defaults to returning this value when a 32-bit UID does not fit into the return value of the 16-bit system calls. An alternative convention assigns the last UID of the range statically allocated for system use (0-99) to nobody: 99.
也许你可以使用 /proc/sys/fs/overflowuid 的值。
不知道是不是和“nobody”的UID一样。不过应该能满足你的需求。