Add Book to My BookshelfPurchase This Book Online

Chapter 8 - Users and Groups

UNIX Systems Programming for SVR4
David A. Curry
 Copyright © 1996 O'Reilly & Associates, Inc.

The Group ID Number
In addition to the real, effective, and saved user IDs, the operating system also associates with each process a real group ID number, an effective group ID number, and a saved group ID number. These values are also used to determine a process' access permissions, although they only affect the ability to access files (the user-id is also used to determine permissions to execute certain system calls, and for accounting purposes). An analogous set of functions lets you manipulate the group ID:
    #include <sys/types.h>
    #include <unistd.h>
    gid_t getgid(void);
    gid_t getegid(void);
    int setgid(gid_t gid);
    int setegid(gid_t egid);
All of these functions behave exactly like their user ID counterparts, including the rules for changing the real and effective group ID.
The setegid function is not available in HP-UX 10.x.
Porting Notes
Just as they do not use the saved user ID, Berkeley-based versions of UNIX do not use the saved group ID idea. Instead, they provide a different function for changing the real and effective group IDs:
    int setregid(int gid, int egid);
This function has the same semantics, and the same problems, as the setreuid function described earlier.
Group Membership
In older versions of UNIX, such as Version 7 and pre-SVR4 versions of System V, a user could be a member of only one group at a time. To change groups, a user would use the command newgrp, which used setgid to change the process' real and effective group IDs.
In 4.2BSD, Berkeley introduced the concept of a group set. This allows a user to be in all her groups at once; processes execute with the combined permissions of all the groups, instead of a single group. This setup is much more convenient, and has been adopted by a number of vendors. SVR4 allows the system administrator to configure either behavior into the system; the default “out of the box” configuration uses the group set.
There are two system calls for manipulating the group set:
    #include <unistd.h>
    int getgroups(int gidsetsize, gid_t *grouplist);
    int setgroups(int ngroups, const gid_t *grouplist);
The getgroups function gets the current group set and stores it in the array pointed to by grouplist, which has gidsetsize entries, and must be large enough to contain the entire list. The list can have a maximum of NGROUPS_MAX entries; this constant is defined in the include file. If gidsetsize is 0, getgroups returns the number of groups to which the calling process belongs without modifying the grouplist array. Upon successful completion, getgroups returns the number of groups placed into grouplist; -1 is returned if an error occurs and the reason for failure will be stored in errno.
The setgroups function sets the group set to the list of group IDs contained in the array pointed to by grouplist, which contains ngroups elements (ngroups may not exceed NGROUPS_MAX). This function may only be invoked by the superuser. If setgroups succeeds, it returns 0. Otherwise, it returns -1 and places an error code in the external integer errno.

Previous SectionNext Section
Books24x7.com, Inc © 2000 –  Feedback