Sujet : Re: privileged user in RedHat
De : lew.pitcher (at) *nospam* digitalfreehold.ca (Lew Pitcher)
Groupes : comp.os.linux.miscDate : 28. Aug 2024, 15:22:50
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <van8ba$3fst1$1@dont-email.me>
References : 1
User-Agent : Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
On Wed, 28 Aug 2024 08:21:01 +0200, Marco Moock wrote:
Hello!
Is there any definition for the word "privileged user" in the Linux
(especially RedHat) environment?
That's a question with a complicated answer.
Linux has adopted the concept of "capabilities", which
a) subdivide privileges into categories, and
b) can be assigned (with limitations) to unprivileged UIDs
Processes run by the "root" user (UID 0), within the initial
"host" environment (i.e., not running in a container) have all
capabilities, until they drop one or more of those capabilities.
If/when a "privileged" process fork()s, the child process does
not receive full capabilities; instead, it inherits the retained
capability set of it's parent process.
A common way to delegate UID 0 privileges is for the binary owned
by UID 0 to have the SETUID permission bit set. This permits the
binary, when run with the UID of an unprivileged user, to act as
UID 0, with all it's permissions. Some general purpose utilities,
such as su(1) and sudo(8) work this way.
I am currently learning RedHat OpenShift and the courses include a
question where the answer is that 2 containers run with UID 27 are
called privileged. (DO190 ch03s08 if you have access).
Containers have different restrictions. Containers initiated by
privileged processes retain the privileges of the process that started
them, and (subject to certain rules relating to the /type/ of container)
may even regain privileges /within the processes in the container/.
Containers initiated by unprivileged processes may gain new privileges,
again, /within the processes in the container/. However, there are
privileges that such process cannot gain.
I am aware that it is common that normal (real people) users start with
1000 ongoing, server process users are below. Is there a difference on
the IDs or is that just tradition?
UID 0 is the only privileged UID. All the other UIDs start off "unprivileged".
The distinction between the UIDs below 1000 and those above is purely
artificial and administrative. There are other separations, other than
"privilege" that are applied by UID (and/or GID), and this numbering
convention permits the distribution to fit those distinctions in without
affecting the UID assignments that the sysadmin will also implement.
HTH
-- Lew Pitcher"In Skills We Trust"