Re: applications, users, groups, permissions

To: debian-user@lists.debian.org
Subject: Re: applications, users, groups, permissions
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Mon, 22 Jan 2007 12:07:54 +0100
Message-id: <[🔎] 20070122110754.GM11149@fantomas.sk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3cbaf1c80701202315o44b2c406o79394f160329aed3@mail.gmail.com>
References: <[🔎] 3cbaf1c80701202315o44b2c406o79394f160329aed3@mail.gmail.com>

On 20.01.07 23:15, Peter Michaux wrote:
> In my apache2.conf file I have the user and group directives which are
> fairly self explanatory.
> 
> User www-data
> Group www-data
> 
> When apache tries to serve a file it must have permission to access
> that file. Apache will have permission because either the "www-data"
> user has permission to access that file or group "www-data" has
> permission. How does the permission checking occur? When the apache
> process starts does it tell the os it's user and group and then the os
> knows when apache tries to access a file? Or when apache tries to
> access a file the os asks apache for it's user and group? Or when
> apache tries to access a file it also tells the os it's user and
> group?

whebn apache wants to open the file, kernel checks apache's effective uid,
gid and suplementary group ids, compares them to file's uid gid (acl's) and
privileges, and then it decides wheter apache may or may not open the file.

> Why is it I can set the group to one that the user does not belong?

apache starts as root, which allows it to set any uid and gid you set up.

> I can also comment out the group directive altogether. The default
> value of the group directive in apache is "#-1". There is no group
> with id -1 on my computer. How can I determine which group apache is
> running in? An application must be running in a particular group,
> doesn't it?

it does, it will simply run with GID 4294967295 (e.g. -1). The existence of
that GID in /etc/group or other system database has nothing to do with it -
as root you can set your UID and GID to any number you want (but not always
in security enhanced systems which control that). The kernel only uses UID
and GID, which are numbers. The kernel does not case abour things like
password/group databases - they are implemented in userspace programs and
libraries.

>  If I also comment out the User directive apache even
> cannot start because user with id 4294967295 (ie 2^32-1) does not
> exist. This makes me think group with id 4294967295 doesn't exist
> also. So an application must be running as a user but not necessarily
> as a group?

Apache itself want to run as user which exists in system databases. However
that's apache feature, which may be enhanced to require "existing" group too
(seems it is not).

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.

Reply to:

References:
- applications, users, groups, permissions
  - From: "Peter Michaux" <petermichaux@gmail.com>

Prev by Date: mark and route traffic in a bridge
Next by Date: bittorent supports proxy
Previous by thread: Re: applications, users, groups, permissions
Next by thread: MjMF Fpat Rdedhead CUTEGISRLS Gxets Feingered
Index(es):
- Date
- Thread