So a user has a primary group and may belong to other supplementary group.
suppose user A primary group is G and supplementary groups G+1,G+2
User A runs a program is it possible to change group id to G+1
by default i know the group id will be set to G but an error is thrown when i run below program .erroris: Operation not permitted,where 4 is supplemental group a user belongs too.
According to the Manual ERRORS
EPERM The calling process is not privileged (does not have the CAP_SETGID capability), and gid does not match the real group ID or saved set-group-ID ofthe calling process.
How to list capability of a process ?
what does the saved set-group-id means ?
int
main ()
{
int x = 0;
char *error = "erroris";
x = setgid (4);
printf ("%d", x);
perror (error);
}
Too many questions in one question!
Problem 1: cannot use setgid to change to a different goup id
Reasons for failure: User is not root, User is not euid 0, User does not have CAP_SETGID
Problem 2: How do I list the capabilities of a process
Answer 2: Use cap_get_proc and cap_to_text to list the capabilities of a process
Problem 3: What does the saved set-group-id mean
Answer 3: When you use one of the sete*id() calls successfully, it records the old one in the saved id. This allows you to revert back to the saved value because this is one of the ids you're permitted to change to using the set call.
Related
I am trying to debug a problem in a grails application and I see in log:
[http-nio-8180-exec-19] ERROR org.hibernate.internal.SessionImpl - HHH000346: Error during managed flush [Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1]. I want to know what http-nio-8180-exec-19 stands for and if I can use this thread name to track what user did the operation that lead to the exception.
Can I assume that on thread http-nio-8180-exec-19 I will see all the operations done by just an user and each user that will log into the application will have a different thread associated?
By default I believe those are the names of threads, though you could put whatever you want there. If you have something like [%15.15t] in your logback.groovy, that is what is causing the thread name to be inserted there.
I'm running this program in root and I have the following result with the command id mike:
uid=1001(mike) gid=1002(mike) groups=1002(mike),1005(mynewgroup)
I'm using the following code to get the groups:
setgid(1002)
setuid(1001)
if ((count = getgroups(NGROUPS_MAX, groupIDs)) == -1)
perror("getgroups error");
else
for (i = 0; i < count; i++)
printf("Group ID %d = %d\n", i + 1, (int) groupIDs[i]);
The result I need is to list group 1002 and 1005. its just giving me
Group ID 1 = 1002
How do I get all the groups of a user with getgroups?
It's unclear what you are doing here. Is your process root, then you setgid + setuid and expect getgroups to give you a list similar to what id provided?
First off, getgroups deals with credentials of the current process which must not be confused with credentials configured in /etc/group or other places. E.g. when the user in question logs in whatever deals with it has to explicitly set all the groups by hand, something you did not do. In particular that program does setuid and setgid, but also does other stuff to properly set credentials.
So you need to run a func which provides groups configured for given user. You already know a tool which does the job - it is id. Since this is opensource, you can just check what it does.
In this particular case the keyword you are looking for is getgrouplist. Note there is 0 use for setuid/setgid to find out what the group list is.
I am looking at files under /prod/$pid/attr
current exec fscreate keycreate prev sockcreate
anybody know what do these files do ?
Proc = process information for pseudofilesystem
/proc/[pid]/attr = Security attributes
/exec = represents the attributes assigned to the process / this is needed to support role/domain transitions
/fscreate = represents the attributes to assign files created by subsequent calls - mkdir - symlink
/keycreate = if/when a process writes a security context into this file all previous keys will be labelled with this context
/prev = shows previous values /proc/[PID]/attr/current
/sockcreate = if/when a process writes security context into this file all the previously created sockets will be labelled with this context
I'm trying to determine if the current user has delete rights. I can check the ACLEntry for the person, but if they are getting their access privileges fro one or more groups this will mean cycling through the group names in the ACL and checking if they have delete right then see if the user is a member of the group. This could be a fairly intensive process. I have heard that there might be a method in the ext Lib but have not been able to find anything.
What is the best way to determine if the user can delete documents?
Adapting this example slightly, here's a function that would allow you to query this privilege (and a few others, for good measure):
function getUserPrivileges() {
var privileges = database.queryAccessPrivileges(context.getUser().getDistinguishedName());
return {
createDocuments: ((privileges & NotesDatabase.DBACL_CREATE_DOCS) > 0),
deleteDocuments: ((privileges & NotesDatabase.DBACL_DELETE_DOCS) > 0),
readPublicDocuments: ((privileges & NotesDatabase.DBACL_READ_PUBLIC_DOCS) > 0),
writePublicDocuments: ((privileges & NotesDatabase.DBACL_WRITE_PUBLIC_DOCS) > 0)
};
}
If you add the above to a script library, then any code that references that library could include logic like the following:
if (getUserPrivileges().deleteDocuments) {
// delete something…
}
For additional flexibility, you could adjust the getUserPrivileges() function to be passed a handle on the specific database the user is trying to delete from instead of always assuming it's the current.
I am trying to change the name of a thread in QNX 6.4.1, but the threads continue to be listed with the parent process name in a "pidin" listing.
I have created the thread:
iReturn = pthread_create(&threadhandle, &attr, &CALzoneCommThread, this);
I have renamed the thread from within the thread itself:
iReturn = pthread_setname_np(NULL, "HappyThread");
I have read the thread name back:
iReturn = pthread_getname_np(NULL, thread_name, 80);
And all threads return the name "HappyThread" as verified with printf statements, yet when I do a pidin, they are still listed with the process name "testapp". I need some help determining whether I have done something wrong in the code above, or if I am fundamentally misunderstanding the pidin command.
Due to a requirement to play nicely with legacy utilities, the threads must have a name other than the process name.
Platform: QNX 6.4.1
Language: C
Yes, you have done something wrong in the code AND you are misunderstanding the output of the pidin command:
The behavior of your code is unspecified because you are passing NULL (which gets converted to 0) as the thread-id. QNX numbers its threads from 1, therefore thread 0 is unspecified. Experimentation shows that passing 0 for the TID behaves identically to passing 1, for both pthread_setname_np and pthread_getname_np. Therefore, your code is setting and getting the ID of the main thread and not that of the thread you created via the pthread_create() call. You should pass threadhandle as the parameter of the set/get_name calls to actually refer to the newly created thread:
iReturn = pthread_setname_np(threadhandle, "HappyThread");
With no arguments pidin does not display the thread-name set via pthread_setname_np() at all. When called with no arguments pidin displays the process ID in the first column, the thread ID (numeric) in the second column and the name of the process in the third column (that's what you likely misunderstood for the thread-name).
you can call pidin with argument 'threads' as suggested by others above; this will display the thread-name in the third column if one has been set up or the numeric thread ID otherwise. Alternatively, you can call pidin similar to the following in order to get both the numeric and symbolic (if available) ID-s of each thread:
pidin -faNbh
For each thread in the system this will print the PID, process-name, TID and thread-name in that order. Refer to "use pidin" for how that works.