1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="Microsoft Word 97">
<META NAME="Template" CONTENT="C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\html.dot">
<META NAME="GENERATOR" CONTENT="Mozilla/4.01b6C [en] (X11; I; Linux 2.1.47 i486) [Netscape]">
<TITLE>Processes and Process Context</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" LINK="#0000FF" VLINK="#800080">
<FONT COLOR="#3366FF"><FONT SIZE=+3><B>User
and Group Privileges</B></FONT></FONT><FONT COLOR="#3366FF"><FONT SIZE=+3></FONT></FONT>
<P><FONT SIZE=+1> Each process has some form of associated Process
Identifier, (PID) through which it may be manipulated. The process also
carries the User Identifier (UID) of the person who initiated the process
and will also have group identifier (GID).</FONT>
<P><FONT SIZE=+1> The UID is used to decide privilege to perform operations
on resources such as files. Processes will normally belong to one or more
process groups. A group identifier (GID) is used by the kernel to identify
privileges allocated to a group of users and hence their created processes.
Groups allow subsets of the available privileged operations (such as granting
of access to files, printers, ability to create directories) to be restricted
to members of a particular group only, with non members of the group being
excluded from performing those operations.</FONT>
<P><FONT SIZE=+1> </FONT>
<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=7 WIDTH="491" >
<TR>
<TD VALIGN=TOP WIDTH="48%"><B><FONT COLOR="#FF0000"><FONT SIZE=+1>Linux</FONT></FONT></B></TD>
<TD VALIGN=TOP WIDTH="4%"><FONT SIZE=+1> </FONT></TD>
<TD VALIGN=TOP WIDTH="48%"><B><FONT COLOR="#FF0000"><FONT SIZE=+1>Windows
NT</FONT></FONT></B></TD>
</TR>
<TR>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>On a Unix derivative system such
as Linux the PID, UID and GID identifiers equate to simple integers which
are associated with processors as part of their Process Control Block.</FONT></TD>
<TD VALIGN=TOP WIDTH="4%"><FONT SIZE=+1> </FONT></TD>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>A process handle is used for the
process identifier. A process handle is a special case of an Object handle,
where object handles may reference files, devices and processes.</FONT>
<P><FONT SIZE=+1> </FONT></TD>
</TR>
<TR>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>On Unix processes maintain a parent-child
relationship where the process that initiates a sub process becomes a parent
to it?s child via a fork and optional exec operation to first clone the
parent process and then replace it with a new executable process image.
Due to this relationship it is possible to terminate all child processes
by sending a KILL signal to the parent. All of the processes in the system
are accessed via a doubly linked list whose root is the init process?s
task_struct data structure.</FONT>
<P><FONT SIZE=+1> </FONT></TD>
<TD VALIGN=TOP WIDTH="4%"><FONT SIZE=+1> </FONT></TD>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>Windows NT processes do not maintain
a parent-child relationship. Instead a process maintains an Object table
to hold handles of other processes. </FONT>
<P><FONT SIZE=+1> </FONT>
<P><FONT SIZE=+1>When a new process is created it inherits all object handles
from its creator that were previously marked with the inheritance attribute. </FONT>
<P><FONT SIZE=+1> </FONT></TD>
</TR>
<TR>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>Access to resources is decided
as a result of the combination of resource defined permissions and a combination
of the UID, GID (or effective UID and GID) under which a process is running.
The owner of a resource or the administrator may grant access to a user
or group of users.</FONT></TD>
<TD VALIGN=TOP WIDTH="4%"><FONT SIZE=+1> </FONT></TD>
<TD VALIGN=TOP WIDTH="48%"><FONT SIZE=+1>The NT Object Manager attaches
an <I>access token</I> to a process which is checked against a resource's
permissions to decide what granted access rights the process is allowed.
The owner of a resource or the administrator may grant access permissions
to a user or group of users.</FONT></TD>
</TR>
</TABLE>
<FONT SIZE=+1> </FONT>
<P><FONT SIZE=+1>Example : a Linux device may be allocated the bitmask
permissions of <FONT FACE="Courier">crwxr-x---</FONT>, may be owned by
the root user (UID=0) and be allocated to the <FONT FACE="Courier">admin</FONT>
group. The allocated permissions of the device indicate that a process
operating for the root user will have read, write and execute permissions
on the device. A process operating with an effective GID of the admin group
will have read and execute permissions, with other users being prevented
from carrying out any operations on the device.</FONT>
<DIV ALIGN=right><A HREF="psimage.html"><IMG SRC="../gx/flower/cyan_lef.gif" BORDER=0 HEIGHT=31 WIDTH=31></A><A HREF="page1.html"><IMG SRC="../gx/flower/cyan_up.gif" BORDER=0 HEIGHT=31 WIDTH=31></A><A HREF="multitask.html"><IMG SRC="../gx/flower/cyan_rig.gif" BORDER=0 HEIGHT=31 WIDTH=31></A></DIV>
</BODY>
</HTML>
|
