Linux Security Concepts: Difference between revisions
Line 24: | Line 24: | ||
==Supplementary Group List== | ==Supplementary Group List== | ||
A user belongs to a primary group, which is specified in the /etc/passwd file, and can be assigned to multiple supplementary groups, which are specific in the /etc/group file. The [[usermod]] command can be used after creating to user to assign them to additional groups(s). | A user belongs to a [[#Primary_Group|primary group]], which is specified in the /etc/passwd file, and can be assigned to multiple supplementary groups, which are specific in the /etc/group file. The [[usermod]] command can be used after creating to user to assign them to additional groups(s). | ||
=Linux Capabilities= | =Linux Capabilities= | ||
{{Internal|Linux_Capabilities#Overview|Linux Capabilities}} | {{Internal|Linux_Capabilities#Overview|Linux Capabilities}} |
Revision as of 21:25, 2 March 2021
Internal
Privileged Mode
A process that runs in privileged mode has full access to the kernel. A container that runs in privileged mode has full access to the container runtime host's kernel. Newer kernels allow assigning finer-grained privileges instead of giving the process all possible permissions by running it in privileged mode. Finer-grained privileges are called Linux capabilities.
Privileged Process
Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and unprivileged processes. A privileged process is a process with its effective user ID is 0, referred to as superuser or root. Privileged processes bypass all kernel permission checks.
Privileged Container
Unprivileged Process
An unprivileged process is a process with a non-zero its effective user ID. Unprivileged processes are subject to full permission checking based on the process' credentials: effective UID, effective GID and supplementary group list.
Unprivileged Container
Discretionary Access Control
Effective User ID
Primary Group
Effective Group ID
Supplementary Group List
A user belongs to a primary group, which is specified in the /etc/passwd file, and can be assigned to multiple supplementary groups, which are specific in the /etc/group file. The usermod command can be used after creating to user to assign them to additional groups(s).