This is especially a problem for setuid/setgid programs.
这对setuid/setgid程序来说尤其是一个问题。
Similarly, a setgid process runs with the privileges associated with the group owner of the file.
类似地,一个setgid进程是用与文件的组所有者相关联的权限运行的。
Alternatively, applications that are owned by the group and are setgid pkcs11 will also be able to run.
或者,组所拥有的并且设置组标识符为pkcs11的应用程序也将能运行。
Prior to this command, you needed to work with Role-Based Access Control (RBAC) to help remedy the problem of setuid and setgid programs.
在有这个命令之前,您需要使用Role- BasedAccessControl (RBAC)来帮助纠正setuid和setgid程序的问题。
One common approach is to create a command-line tool with special privileges (such as being setuid or setgid) that has an extremely limited function.
一个通常的方法是,创建功能极度受限的拥有特定特权(比如是setuid或者setgid)命令行工具。
Where possible, try to avoid creating setuid or setgid programs at all, because it's very difficult to make sure that you're really protecting all inputs.
如果有可能,尽量完全避免创建setuid或setgid程序,因为很难确保您正在真正保护所有输入。
Normally, processes run as the user and groups of their user, but a "setuid" or "setgid" program picks up the privileges of the user or group that owns the program.
通常,进程以使用它们的用户和组身份运行,不过,“setuid”或“setgid”的程序会获得拥有这个程序的用户或组的特权。
For instance, on Mac OS X, the wall utility — short for "write all," because it writes a message to every physical or virtual terminal device — is setgid tty (as shown above).
例如,在MacOSX中,wall工具(“writeall”的缩写,因其会将某个消息写入所有物理或虚拟终端设备而得名)的setgid被设为tty(如上所示)。
An exception to this inheritance rule, where a process might acquire greater privileges than its owner, is an application with the special setuid or setgid bit enabled, as shown by ls.
这一继承规则有一个例外情况,即应用程序启用了特殊的setuid或setgid位,如ls显示的那样,在此情况下,某个进程可能会获得比其所有者更高的权限。
Many programs are "setgid games" so that only the game programs can modify the "top ten" scores, and the files storing the scores are owned by the group games (and only writeable by that group).
很多程序都是“setgidgames”,以使得只有游戏程序可以修改“topten”分数,而且存储这些分数的文件的主人是games组(而且只有这个组可以写)。
Many programs are "setgid games" so that only the game programs can modify the "top ten" scores, and the files storing the scores are owned by the group games (and only writeable by that group).
很多程序都是“setgidgames”,以使得只有游戏程序可以修改“topten”分数,而且存储这些分数的文件的主人是games组(而且只有这个组可以写)。
应用推荐