Fwd: User groups membership information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

---------- Forwarded message ----------
From: Avishay Traeger <atraeger@xxxxxxxxxxxxx>
Date: Feb 18, 2007 8:53 PM
Subject: Re: User groups membership information
To: BVK <bvk.groups@xxxxxxxxx>


On Sun, 2007-02-18 at 20:43 +0530, BVK wrote:

On 2/18/07, Avishay Traeger <atraeger@xxxxxxxxxxxxx> wrote:
> All of the management happens in userspace.  Processes are
> assigned the UIDs and GIDs of the user that executed them.

I see that only one gid (and egid, fsgid) is stored in task_struct.  I
guess it must be the primary-group-id of the user.

But an user can be a member of more than one group and he must be
allowed access to a files, if he is member of group identified by
file's GID, right?  If kernel has only ONE group-id in task_struct,
how does it allow access to files, which could potentially be from
multiple groups?


It has this field which keeps all of the groups:
struct group_info *group_info;
Look at the permission check code to see how it is all used.


> Now when the program wants to open a file, for example, the UID and GIDs
> stored in task_struct are compared to the allowable UID and GIDs for the
> file.

I think inode contains ONLY ONE gid (and ONE owner UID), right?  This
allowable GID need not be equal to GID stored in task_stuct and still
kernel needs to allow access to file.  Am i terribly missing
something?


Yes, the inode contains only one UID and GID.  The GID needs to match
one of the GIDs from task_struct:

if (in_group_p(inode->i_gid))
       mode >>= 3;


> Note that only some file systems use this functions,
> while others implement their own.

Is this check done in filesystem layer?  I thought it is done above
(or before) filesystem layer.  Thanks for this info.


The VFS will do some preliminary checks, but it is up to the file system
to determine access rights (not every file system has GIDs, for
example).


/ bvk-chaitanya


By the way, you should have CC'ed kernelnewbies so other people can
learn from this as well...

Thanks,
Avishay

--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux