Linux Security Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 4: Line 4:
=Privileged Mode=
=Privileged Mode=


=Privileged Process=
==Privileged Process==
Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and [[#Unprivileged_Process|unprivileged processes]]. A privileged process is a process with its [[#Effective_User_ID|effective user ID]] is 0, referred to as superuser or root. Privileged processes bypass all kernel permission checks.
Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and [[#Unprivileged_Process|unprivileged processes]]. A privileged process is a process with its [[#Effective_User_ID|effective user ID]] is 0, referred to as superuser or root. Privileged processes bypass all kernel permission checks.


<font color=darkgray>TODO reconcile https://kb.novaordis.com/index.php/Docker_Security#Privileged_Container</font>
<font color=darkgray>TODO reconcile https://kb.novaordis.com/index.php/Docker_Security#Privileged_Container</font>


=Unprivileged Process=
==Privileged Container==
 
==Unprivileged Process==
An unprivileged process is a process with a non-zero its [[#Effective_User_ID|effective user ID]]. Unprivileged processes are subject to full permission checking based on the process' credentials: [[#Effective_User_ID|effective UID]], [[#Effective_Group_ID|effective GID]] and [[#Supplementary_Group_List|supplementary group list]].
An unprivileged process is a process with a non-zero its [[#Effective_User_ID|effective user ID]]. Unprivileged processes are subject to full permission checking based on the process' credentials: [[#Effective_User_ID|effective UID]], [[#Effective_Group_ID|effective GID]] and [[#Supplementary_Group_List|supplementary group list]].



Revision as of 00:20, 2 March 2021

Internal

Privileged Mode

Privileged Process

Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and unprivileged processes. A privileged process is a process with its effective user ID is 0, referred to as superuser or root. Privileged processes bypass all kernel permission checks.

TODO reconcile https://kb.novaordis.com/index.php/Docker_Security#Privileged_Container

Privileged Container

Unprivileged Process

An unprivileged process is a process with a non-zero its effective user ID. Unprivileged processes are subject to full permission checking based on the process' credentials: effective UID, effective GID and supplementary group list.

Unprivileged Container

Discretionary Access Control

https://wiki.archlinux.org/index.php/users_and_groups

Effective User ID

Effective Group ID

Supplementary Group List

Linux Capabilities

Linux Capabilities