Real, Effective and Saved UserID in Linux
Every user in Unix like operating system is identified by a different integer number, this unique number is called as UserID.
There are three types of UID defined for a process, which can be dynamically changed as per the privilege of task.
The three different types of UIDs defined are :
1. Real UserID
2. Effective UserID
3. Saved UserID
1. Real UserID : For a process, Real UserId is simply the UserID of the user that has started it. It defines which files that this process has access to.
2. Effective UserID : It is normally the same as Real UserID, but sometimes it is changed to enable a non-privileged user to access files that can only be accessed by a privileged user like root.
If you see the permission of /usr/bin/passwd file:
-rwsr-xr-x 1 root root 59640 Mar 23 2019 /usr/bin/passwd
So if a non-root user runs this file, the EUID of the process will be “0” i.e. root and UID remains the same as of original user.
3. Saved UserID : It is used when a process is running with elevated privileges (generally root) needs to do some under-privileged work, this can be achieved by temporarily switching to a non-privileged account.
While performing under-privileged work, the effective UID is changed to some lower privilege value, and the euid is saved to saved userID(suid), so that it can be used for switching back to a privileged account when the task is completed.
You can print UID by simply typing id on terminal :
uid=1000(mandeep) gid=1000(mandeep) groups=1000(mandeep), 4(adm), 24(cdrom), 27(sudo), 30(dip), 46(plugdev), 113(lpadmin), 128(sambashare)
id command can be used to print real and effective user and group IDs
Different options of id:
-g, --group : print only effective group id -G, --groups : print all group IDs -r, --real : print only real user id -u, --user : print only effective user id
For example :
Note: While you use id command with -r option, you will get error like
id: cannot print only names or real IDs in default format
To deal with this, use -r option in conjunction with other option, for example, id -rg
Now, for setting up real user ID, the effective user ID, and the saved set-user-ID of the calling process, we use setresuid() and setresgid()
int setresuid(uid_t ruid, uid_t euid, uid_t suid); # for specific user int setresgid(gid_t rgid, gid_t egid, gid_t sgid); # for specific group
Return Value :
On success, 0 is returned.
On error, -1 is returned.
For more details : Use Linux manual page (man user id).