- wikipedia.org: List of Unix utilities
- Real and Effective IDs
- A process also carries around an effective set of gids called the group vector. This effective gid is then just the primary effective gid and the ones from this vector provide additional effective gids to the process for determining access control.
- Invoking a
setgidapplication does not alter the group vector.
sudotypically resets it to that of the target users groups too unless you pass in the
-Poption to preserve the group vector.
- On most platforms, only real programs (i.e. binary code) can be setuid and it's ignored on scripts (i.e. those with a shebang line) because interpreters are usually not written with security in mind.
- Do not trust file descriptors 0, 1, 2
- tempfile: Creating a One-shot File
mkstemp. Opening a file with
O_EXCLensure that the kernel does not follow symlinks (
- Lost in Legacy Space? Use a private directory!
- Rule of thumb: In a
setgidapplication, drop privileges before creating a temporary file in a hostile directory.
- Man pages
Passing file handles / descriptors between processes
- See Passing open handles / "kernel black magic"
- This simple extension provides two functions to pass and receive file descriptors across UNIX domain sockets, using the BSD-4.3+ sendmsg() and recvmsg() interfaces.
What shell am I using?