Android安全模式机制之二(操作系统现代安全体系基础概念)

发表于 | 分类于 | | 阅读次数
| 字数统计 4,212字 | 阅读时长 21分钟

目录:

  • 1.进程和进程边界
  • 2.多用户和多用户边界
  • 3.进程和文件的UID/GID (UserID/groupId)
    • 3.1文件资源的权限力度:UID/GID
    • 3.2文件的可操作权限
    • 3.3进程的标识: PID , UID , GID , GIDs
    • 3.4Name和ID的映射
    • 3.5Chmod和chown命令介绍
      • 3.5.1Chmod
      • 3.5.2Chown
  • 4.UID/GID的衔接
  • 5.进程的RealUID和EffectiveUID
  • 6.文件的setUID标识
  • 7.Capability
    • 7.1进程的Capability
    • 7.2文件的Capability
    • 7.3Capability BoundSet
    • 7.4Spawn进程的Capability

进程和进程边界

进程和线程
    可执行文件:不活动就是废物
    进程:可执行文件的活动表现,一次生命的历练
    线程:CPU(核)的调度单位,并发的执行序列,进程的多管齐下
    资源和调度.


进程边界的安全围栏: 
    Crash的不可扩延性
    全局数据和服务的不可访问性

多用户和多用户边界

需求背景:
    资源缺乏
    中央统一管理

多用户的边界:
    独立的工作目录
    可操作/访问的资源
        资源分类
        权限管理
    可执行的操作
        操作分类
        权限管理

多用户特性标识(linux): UID 和GID
    Name只是供看的
    Identifier才是系统层面的标识
    用户的行为是一系列进程的行为
    特性标识其实是进程的UID/GID

进程和文件的UID/GID (UserID/groupId)

文件资源的权限力度:UID/GID

1.文件是一类资源
2.在Linux中,甚至一切皆是文件,Socket,Driver
3.文件资源对不同Target(用户)的不同操作权限的需求应运而生
4.某些场景下,允许多个不同的Target/用户(而不是一个)具有一致的操作权限,怎么办? 
    Id===> Gid===> 多个用户可以属于一个GID,一个用户可以属于多个GIDs
5.所以文件权限的管理力度区分3类群体:属于特定UID的用户,属于特定GID的用户(们),其他用户
6.一个上帝用户存在:ROOT, 其UID = 0 , 上帝用户永远满足属于任何UID

文件的可操作权限

1.文件/文件夹的可读 r
2.文件/文件夹的可写 w
3.文件/文件夹的可执行 x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ls -l
total 20
 权限列表        UID       GID
-rw-r--r--    1 comtu    Administ      879 Feb 25 17:39 404.html
-rw-r--r--    1 comtu    Administ     2800 Feb 25 17:39 README.md
-rw-r--r--    1 comtu    Administ     2909 Feb 25 17:39 Rakefile.rb
-rw-r--r--    1 comtu    Administ     1609 Feb 25 17:39 _config.yml
drwxr-xr-x    4 comtu    Administ        0 Feb 25 17:39 _data
drwxr-xr-x    7 comtu    Administ     4096 Feb 25 17:39 _includes
drwxr-xr-x    5 comtu    Administ        0 Feb 25 17:39 _layouts
drwxr-xr-x    3 comtu    Administ        0 Feb 25 17:39 _plugins
drwxr-xr-x   18 comtu    Administ     8192 Jul  1 17:36 _posts
drwxr-xr-x   13 comtu    Administ     4096 Jul  1 13:30 _site
-rw-r--r--    1 comtu    Administ       10 Feb 25 17:39 baidu_verify_
html
-rw-r--r--    1 comtu    Administ     1672 Feb 25 17:39 index.html
drwxr-xr-x    1 comtu    Administ     4096 Feb 25 17:39 page
drwxr-xr-x    1 comtu    Administ     4096 Jun 25 16:18 res
-rw-r--r--    1 comtu    Administ       59 Jun 25 17:45 robots.txt
-rw-r--r--    1 comtu    Administ      350 Apr 13 17:53 search.xml
-rw-r--r--    1 comtu    Administ      209 Feb 25 17:39 sitemap.txt
drwxr-xr-x
d|rwx|r-x|r-x
0|123|456|789

文件夹与文件标识
    0 : d文件夹    -文件
UID用户
    1 : 可读
    2 : 可写
    3 : 可执行
GID用户
    4 : 可读
    5 : 不可写
    6 : 可执行
其他用户
    7 : 可读
    8 : 不可写
    9 : 可执行

进程的标识: PID , UID , GID , GIDs

PID : 进程的Unique Identifier(唯一标识) . 每次Running的PID可能相同,或者不同,由系统分配
UID : 进程的身份标识.每次运行,即便重启后默认都相同
GID : 进程的(组)身份标识.每次运行,即便重启后默认都相同.不同进程允许有相同的GID(组用户身份标识).
    同一进程允许属于多个GID.
GIDs: 进程所属的全部GID

Name和ID的映射

Android原代码之Name和ID映射表
/system/core/include/private/android_filesystem_config.h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
/*
 * Copyright (C) 2007 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
/* This file is used to define the properties of the filesystem
#  images generated by build tools (mkbootfs and mkyaffs2image) and
#  by the device side of adb.
*/
#ifndef _ANDROID_FILESYSTEM_CONFIG_H_
#define _ANDROID_FILESYSTEM_CONFIG_H_
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
/* This is the master Users and Groups config for the platform.
#  DO NOT EVER RENUMBER.
*/
#define AID_ROOT             0  /* traditional unix root user */
#define AID_SYSTEM        1000  /* system server */
#define AID_RADIO         1001  /* telephony subsystem, RIL */
#define AID_BLUETOOTH     1002  /* bluetooth subsystem */
#define AID_GRAPHICS      1003  /* graphics devices */
#define AID_INPUT         1004  /* input devices */
#define AID_AUDIO         1005  /* audio devices */
#define AID_CAMERA        1006  /* camera devices */
#define AID_LOG           1007  /* log devices */
#define AID_COMPASS       1008  /* compass device */
#define AID_MOUNT         1009  /* mountd socket */
#define AID_WIFI          1010  /* wifi subsystem */
#define AID_ADB           1011  /* android debug bridge (adbd) */
#define AID_INSTALL       1012  /* group for installing packages */
#define AID_MEDIA         1013  /* mediaserver process */
#define AID_DHCP          1014  /* dhcp client */
#define AID_SDCARD_RW     1015  /* external storage write access */
#define AID_VPN           1016  /* vpn system */
#define AID_KEYSTORE      1017  /* keystore subsystem */
#define AID_USB           1018  /* USB devices */
#define AID_GPS           1021  /* GPS daemon */
#define AID_UNUSED1       1022  /* deprecated, DO NOT USE */
#define AID_RFU1          1023  /* RFU */
#define AID_RFU2          1024  /* RFU */
#define AID_NFC           1025  /* nfc subsystem */
#define AID_SHELL         2000  /* adb and debug shell user */
#define AID_CACHE         2001  /* cache access */
#define AID_DIAG          2002  /* access to diagnostic resources */
/* The 3000 series are intended for use as supplemental group id's only.
 * They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN  3001  /* bluetooth: create any socket */
#define AID_NET_BT        3002  /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW       3004  /* can create raw INET sockets */
#define AID_NET_ADMIN     3005  /* can configure interfaces and routing tables. */
#define AID_QCOM_ONCRPC   3006  /* can read/write /dev/oncrpc files */
#if defined(MOTOROLA_UIDS)
#define AID_MOT_ACCY      9000  /* access to accessory */
#define AID_MOT_PWRIC     9001  /* power IC */
#define AID_MOT_USB       9002  /* mot usb */
#define AID_MOT_DRM       9003  /* can access DRM resource. */
#define AID_MOT_TCMD      9004  /* mot_tcmd */
#define AID_MOT_SEC_RTC   9005  /* mot cpcap rtc */
#define AID_MOT_TOMBSTONE 9006
#define AID_MOT_TPAPI     9007  /* mot_tpapi */
#define AID_MOT_SECCLKD   9008  /* mot_secclkd */
#endif // MOTOROLA_UIDS
#define AID_MISC          9998  /* access to misc storage */
#define AID_NOBODY        9999
#define AID_APP          10000 /* first app user */
#if !defined(EXCLUDE_FS_CONFIG_STRUCTURES)
struct android_id_info {
    const char *name;
    unsigned aid;
};
static const struct android_id_info android_ids[] = {
    { "root",      AID_ROOT, },
    { "system",    AID_SYSTEM, },
    { "radio",     AID_RADIO, },
    { "bluetooth", AID_BLUETOOTH, },
    { "graphics",  AID_GRAPHICS, },
    { "input",     AID_INPUT, },
    { "audio",     AID_AUDIO, },
    { "camera",    AID_CAMERA, },
    { "log",       AID_LOG, },
    { "compass",   AID_COMPASS, },
    { "mount",     AID_MOUNT, },
    { "wifi",      AID_WIFI, },
    { "dhcp",      AID_DHCP, },
    { "adb",       AID_ADB, },
    { "install",   AID_INSTALL, },
    { "media",     AID_MEDIA, },
    { "nfc",       AID_NFC, },
    { "shell",     AID_SHELL, },
    { "cache",     AID_CACHE, },
    { "diag",      AID_DIAG, },
    { "net_bt_admin", AID_NET_BT_ADMIN, },
    { "net_bt",    AID_NET_BT, },
    { "qcom_oncrpc", AID_QCOM_ONCRPC, },
    { "sdcard_rw", AID_SDCARD_RW, },
    { "vpn",       AID_VPN, },
    { "keystore",  AID_KEYSTORE, },
    { "usb",       AID_USB, },
    { "gps",       AID_GPS, },
    { "inet",      AID_INET, },
    { "net_raw",   AID_NET_RAW, },
    { "net_admin", AID_NET_ADMIN, },
#if defined(MOTOROLA_UIDS)
    { "mot_accy",  AID_MOT_ACCY, },
    { "mot_pwric", AID_MOT_PWRIC, },
    { "mot_usb",   AID_MOT_USB, },
    { "mot_drm",   AID_MOT_DRM, },
    { "mot_tcmd",  AID_MOT_TCMD, },
    { "mot_sec_rtc",  AID_MOT_SEC_RTC, },
    { "mot_tombstone", AID_MOT_TOMBSTONE, },
    { "mot_tpapi",  AID_MOT_TPAPI, },
    { "mot_secclkd",  AID_MOT_SECCLKD, },
#endif
    { "misc",      AID_MISC, },
    { "nobody",    AID_NOBODY, },
};
#define android_id_count \
    (sizeof(android_ids) / sizeof(android_ids[0]))
    
struct fs_path_config {
    unsigned mode;
    unsigned uid;
    unsigned gid;
    const char *prefix;
};
/* Rules for directories.
#  These rules are applied based on "first match", so they
#  should start with the most specific path and work their
#  way up to the root.
*/
static struct fs_path_config android_dirs[] = {
    { 00770, AID_SYSTEM, AID_CACHE,  "cache" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "data/app" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "data/app-private" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "data/dalvik-cache" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "data/data" },
    { 00771, AID_SHELL,  AID_SHELL,  "data/local/tmp" },
    { 00771, AID_SHELL,  AID_SHELL,  "data/local" },
    { 01771, AID_SYSTEM, AID_MISC,   "data/misc" },
    { 00770, AID_DHCP,   AID_DHCP,   "data/misc/dhcp" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "data" },
    { 00750, AID_ROOT,   AID_SHELL,  "sbin" },
    { 00755, AID_ROOT,   AID_SHELL,  "system/bin" },
    { 00755, AID_ROOT,   AID_SHELL,  "system/vendor" },
    { 00755, AID_ROOT,   AID_SHELL,  "system/xbin" },
    { 00755, AID_ROOT,   AID_ROOT,   "system/etc/ppp" },
    { 00777, AID_ROOT,   AID_ROOT,   "sdcard" },
    { 00771, AID_SYSTEM, AID_SYSTEM, "sd-ext" },
    { 00755, AID_ROOT,   AID_ROOT,   0 },
};
/* Rules for files.
#  These rules are applied based on "first match", so they
#  should start with the most specific path and work their
#  way up to the root. Prefixes ending in * denotes wildcard
#  and will allow partial matches.
*/
static struct fs_path_config android_files[] = {
    { 00440, AID_ROOT,      AID_SHELL,     "system/etc/init.goldfish.rc" },
    { 00550, AID_ROOT,      AID_SHELL,     "system/etc/init.goldfish.sh" },
    { 00440, AID_ROOT,      AID_SHELL,     "system/etc/init.trout.rc" },
    { 00550, AID_ROOT,      AID_SHELL,     "system/etc/init.ril" },
    { 00550, AID_ROOT,      AID_SHELL,     "system/etc/init.testmenu" },
    { 00550, AID_DHCP,      AID_SHELL,     "system/etc/dhcpcd/dhcpcd-run-hooks" },
    { 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/dbus.conf" },
    { 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluetooth/main.conf" },
    { 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluetooth/input.conf" },
    { 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluetooth/audio.conf" },
    { 00444, AID_NET_BT,    AID_NET_BT,    "system/etc/bluetooth/blacklist.conf" },
    { 00640, AID_SYSTEM,    AID_SYSTEM,    "system/etc/bluetooth/auto_pairing.conf" },
    { 00444, AID_RADIO,     AID_AUDIO,     "system/etc/AudioPara4.csv" },
    { 00555, AID_ROOT,      AID_ROOT,      "system/etc/ppp/*" },
    { 00555, AID_ROOT,      AID_ROOT,      "system/etc/rc.*" },
    { 00644, AID_SYSTEM,    AID_SYSTEM,    "data/app/*" },
    { 00644, AID_SYSTEM,    AID_SYSTEM,    "data/app-private/*" },
    { 00644, AID_APP,       AID_APP,       "data/data/*" },
	/* the following three files are INTENTIONALLY set-gid and not set-uid.
	 * Do not change. */
    { 02755, AID_ROOT,      AID_NET_RAW,   "system/bin/ping" },
    { 02750, AID_ROOT,      AID_INET,      "system/bin/netcfg" },
    { 02755, AID_SYSTEM,    AID_GRAPHICS,  "system/bin/screenshot" },
	/* the following five files are INTENTIONALLY set-uid, but they
	 * are NOT included on user builds. */
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/su" },
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/librank" },
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/procrank" },
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/procmem" },
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/tcpdump" },
    { 04770, AID_ROOT,      AID_RADIO,     "system/bin/pppd-ril" },
		/* the following file is INTENTIONALLY set-uid, and IS included
		 * in user builds. */
    { 06750, AID_ROOT,      AID_SHELL,     "system/bin/run-as" },
    { 06755, AID_ROOT,      AID_ROOT,      "system/xbin/hcitool" },
    { 00755, AID_ROOT,      AID_SHELL,     "system/bin/*" },
    { 00755, AID_ROOT,      AID_SHELL,     "system/xbin/*" },
    { 00755, AID_ROOT,      AID_SHELL,     "system/vendor/bin/*" },
    { 00750, AID_ROOT,      AID_SHELL,     "sbin/*" },
    { 00755, AID_ROOT,      AID_ROOT,      "bin/*" },
    { 00750, AID_ROOT,      AID_SHELL,     "init*" },
    { 00750, AID_ROOT,      AID_SHELL,     "system/etc/init.d/*" },
    { 00644, AID_ROOT,      AID_ROOT,       0 },
};
static inline void fs_config(const char *path, int dir,
			     unsigned *uid, unsigned *gid, unsigned *mode)
{
    struct fs_path_config *pc;
    int plen;
    
    pc = dir ? android_dirs : android_files;
    plen = strlen(path);
    for(; pc->prefix; pc++){
	int len = strlen(pc->prefix);
	if (dir) {
	    if(plen < len) continue;
	    if(!strncmp(pc->prefix, path, len)) break;
	    continue;
	}
	/* If name ends in * then allow partial matches. */
	if (pc->prefix[len -1] == '*') {
	    if(!strncmp(pc->prefix, path, len - 1)) break;
	} else if (plen == len){
	    if(!strncmp(pc->prefix, path, len)) break;
	}
    }
    *uid = pc->uid;
    *gid = pc->gid;
    *mode = (*mode & (~07777)) | pc->mode;
    
#if 0
    fprintf(stderr,"< '%s' '%s' %d %d %o >\n", 
	    path, pc->prefix ? pc->prefix : "", *uid, *gid, *mode);
#endif
}
#endif
#endif
Android提供了dumpsys工具来dump出所有的服务信息,通过以下命令可以查看系统注册的所有服务:adb shell dumpsys  
dumpsys 用来给出手机中所有应用程序的信息,并且也会给出现在手机的状态。
因为内容太多把dumpsys的内容存储到C盘文件中方便查看.如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Users\comtu>adb shell
shell@android:/ $ su
shell@android:/ # cd data
shell@android:/data # mkdir test
shell@android:/data # cd test
shell@android:/data/test # dumpsys > dumpsys.txt
shell@android:/data/test # ls -l
ls -l
-rw-rw-rw- root     root      1706976 2015-07-03 08:57 dumpsys.txt
shell@android:/data/test # exit
exit
shell@android:/ $ exit
exit
C:\Users\comtu>adb pull /data/test/dumpsys.txt c:/
5649 KB/s (1706976 bytes in 0.295s)
其中dumpsys.txt文件一段关于QQ配置的片段可查找到如下内容:
        userId=10081 gids=[3003, 1028, 1015] <---gids可在android_filesystem_config.h查找到对应的映射关系

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Package [com.tencent.mobileqq] (426f1258):
  userId=10081 gids=[3003, 1028, 1015]
  pkg=Package{42b7e890 com.tencent.mobileqq}
  codePath=/data/app/partner-QQ.apk
  resourcePath=/data/app/partner-QQ.apk
  nativeLibraryPath=/data/app-lib/partner-QQ
  versionCode=122 targetSdk=7
  versionName=4.7.0
  applicationInfo=ApplicationInfo{42b136f8 com.tencent.mobileqq}
  flags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]
  dataDir=/data/data/com.tencent.mobileqq
  supportsScreens=[small, medium, large, resizeable, anyDensity]
  usesOptionalLibraries:
    com.google.android.media.effects
    com.motorola.hardware.frontcamera
  timeStamp=2015-05-05 17:36:43
  firstInstallTime=2015-05-05 17:36:43
  lastUpdateTime=2015-05-05 17:36:43
  signatures=PackageSignatures{426f1320 [426f1ed0]}
  permissionsFixed=true haveGids=true installStatus=1
  pkgFlags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]
  User 0:  installed=true blocked=false stopped=true notLaunched=false enabled=0
  grantedPermissions:
    android.permission.READ_EXTERNAL_STORAGE
    android.permission.CHANGE_WIFI_MULTICAST_STATE
    com.tencent.photos.permission.DATA
    android.permission.GET_TASKS
    android.permission.WRITE_EXTERNAL_STORAGE
    android.permission.WRITE_CALL_LOG
    com.tencent.msg.permission.pushnotify
    android.permission.ACCESS_WIFI_STATE
    android.permission.ACCESS_COARSE_LOCATION
    android.permission.READ_CONTACTS
    android.permission.CALL_PHONE
    android.permission.WRITE_CONTACTS
    com.tencent.permission.VIRUS_SCAN
    android.permission.READ_PHONE_STATE
    android.permission.READ_CALENDAR
    android.permission.READ_SMS
    android.permission.CAMERA
    android.permission.ACCESS_FINE_LOCATION
    android.permission.BROADCAST_STICKY
    android.permission.PERSISTENT_ACTIVITY
    android.permission.FLASHLIGHT
    android.permission.RECORD_AUDIO
    android.permission.WAKE_LOCK
    android.permission.ACCESS_NETWORK_STATE
    com.tencent.msf.permission.ACCOUNT_NOTICE
    com.android.launcher.permission.INSTALL_SHORTCUT
    com.tencent.msf.permission.account.sync
    android.permission.SEND_SMS
    com.android.launcher.permission.UNINSTALL_SHORTCUT
    android.permission.KILL_BACKGROUND_PROCESSES
    android.permission.MODIFY_AUDIO_SETTINGS
    android.permission.DISABLE_KEYGUARD
    android.permission.WRITE_CALENDAR
    com.qq.qcloud.permission.ACCESS_ALBUM_BACKUP_LIST
    android.permission.SYSTEM_ALERT_WINDOW
    android.permission.WRITE_SETTINGS
    android.permission.INTERNET
    android.permission.CHANGE_WIFI_STATE
    android.permission.VIBRATE
    android.permission.READ_CALL_LOG
    com.android.launcher.permission.READ_SETTINGS
    android.permission.CHANGE_NETWORK_STATE

Chmod和chown命令介绍

Chmod

1.文件R/W/X的系统内部采用3Bit表示,R为最高位比特,置位为0x04,
    W为中间比特,置位为0x02,X为最低比特,置位为0x01

    4(读R) , 2(写W) , 1(执行X)
    7=4+2+1 所有权限
    6=4+2   读写
    5=4+1   读执行
    4       读
    3=3+1   写执行
    2
    1
    664表示给予UID,GID读写权限,给予其它只读权限

2.Shell中表示时,置位使用相应R/W/X表示,未置位使用-
3.操作文件面向群体的操作权限时,使用Chmod,可以直接使用数字,
    也可使用助记符( a:all , u:owner user , g:group , +:add one premission , -:remove one permission)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-rw-rw-r-- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test # chmod 777 test.txt
chmod 777 test.txt
shell@android:/data/test # ls -l
ls -l
-rwxrwxrwx system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test #
shell@android:/data/test # chmod 664 test.txt
chmod 664 test.txt
shell@android:/data/test # ls -l
ls -l
-rw-rw-r-- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test #

Chown

通过chown改变文件的拥有者和群组。在更改文件的所有者UID或所属群组GID时,可以使用用户名称和用户识别码设置。
    Shell命令中通常采用Name方式修改,而不是ID方式.普通用户不能将自己的文件改变成其他的拥有者。其操作权限一般为管理员。
一般格式: chown newUID:newGID FileName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
shell@android:/data # mkdir test
mkdir test
shell@android:/data # cd test
cd test
shell@android:/data/test # echo "hello world" > test.txt
echo "hello world" > test.txt
shell@android:/data/test # ls
ls
test.txt
shell@android:/data/test # ls -l
ls -l
-rw-rw-rw- root     root           12 2015-07-02 18:02 test.txt
shell@android:/data/test # chown system:system test.txt
chown system:system test.txt
shell@android:/data/test # ls -l
ls -l
-rw-rw-rw- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test #

UID/GID的衔接

1.Linux一切皆是文件
2.文件基于UID/GID来划分它的面向群体,对它的面向群体定义不同的操作权限
3.用户的行为映射为进程的运行
4.进程的运行使用进程的UID/GID来标识自己的身份
5.进程的UID/GID<=====>文件的UID/GID 完美衔接~~
6.进程的UID/GID除了被授予可操作文件的范畴外,非文件范畴的需要进行权限控制的操作
    (如重启系统等特权操作)继续通过进程的UID/GID身份来进行控制和授权.
7.比如,对于Reboot这个API,其入口处可以check calling的Process的UID,如果不是Root,则Reject

进程的RealUID和EffectiveUID

linux下real uid被用于描述用户是谁,文件的拥有者,effective uid指程序执行时的用户组别,
用于判断程序是否有权去进行一些操作(例如读写文件),因此real uid是针对用户和文件(拥有者)而言,
而effective是针对运行的程序而言。一般来讲一个用户执行一个程序,
程序的effective uid会被设置为用户的real uid,这个effective uid与该程序的real uid(文件所有者)无关,只与执行者有关。

Real UID 是身份的标识 , 但没有"实权"

Effective UID 是权利的标识 
    文件,资源以及特权API操作时对进程是否有权限的识别的UID,即是指Effectivie UID

身份与权利的关系
    一般情况下,身份和权利是一至的,即Real UID = Effective UID.
    所以,默认ps cmd输出的UID指的是Effective UID , 而没有输出Real UID

Root用户的特权
    ROOT可以调用SetXUID对自己的身份进行升降.

UID的世袭
    子进程的Real UID = Effective UID = 父进程的Real UID (子嗣不能继承其特权Effective UID而仅能继承其Real UID)

文件的setUID标识

setUID可以让普通用户暂时获得文件权限的读写.

和基本的RWX设置类似,有助记符和直接数字设置.直接数字设置时,采用4位数字,第一位标志setUID
如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
shell@android:/data/test $ ls -l
ls -l
-rw-rw-rw- shell    shell           7 2015-07-03 09:22 comtu.txt
-rw-rw-rw- root     root      1706976 2015-07-03 08:57 dumpsys.txt
-rw-rw-r-- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test $ chmod 4775 comtu.txt
chmod 4775 comtu.txt
shell@android:/data/test $ ls -l
ls -l
-rwsrwxr-x shell    shell           7 2015-07-03 09:22 comtu.txt
-rw-rw-rw- root     root      1706976 2015-07-03 08:57 dumpsys.txt
-rw-rw-r-- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test $ chmod 0775 comtu.txt
chmod 0775 comtu.txt
shell@android:/data/test $ ls -l
ls -l
-rwxrwxr-x shell    shell           7 2015-07-03 09:22 comtu.txt
-rw-rw-rw- root     root      1706976 2015-07-03 08:57 dumpsys.txt
-rw-rw-r-- system   system         12 2015-07-02 18:02 test.txt
shell@android:/data/test $ chmod u+s comtu.txt
chmod u+s comtu.txt
Bad mode
10|shell@android:/data/test $
说明
    chmod 4775 comtu.txt

    4775 第一位4表示开启setUID, 第二位7表示UID获取读写执行权限,
        第三位7表示Gid获取读写执行权限,最后5表示其它用户只有读与执行权限

    chmod 0775 comtu.txt
    0775 第一位0表示关闭setUID

    chmod u+s comtu.txt
    使用助记符,因为我使用的是Android的adb shell 是简化般linux对助记符不支持,如果使用ubuntu等则可进行操作.

Capability

Capability细粒度的权限控制

进程的Capability
    permitted Capability Sets 
        当前进程的权利的围栏,最大权利的范围,是Effective Capability Sets的超集
    Effectivte Capability Sets 
        当前进程的实际使用(支配)的权利集,该集内的Capability必须从属于Permitted Capability Sets . 
        该集合与Effective UID类似,是实际的权利标识.
    Inheritable Capability Sets
        子进程唯一可以直接继承的Capability Sets. 在Capability模式下,
        只有子进程的Inheritable Capability Sets = 父进程的Inheritable Capability Sets . 其他的皆是NO
文件的Capability
    Permitted Capability Sets
        该可执行文件可以为进程带来的Permitted Capability Sets
    Effective Capability Set
        仅1bit,Enable or disable , 标识该可执行文件running所在的进程的
        Permitted Capability Sets是否自动全部Assign到其Effective Capability Sets. 
        通常用于与传统的Root-setUID可执行文件向下兼容.
    Inheritable Capability Sets
        与进程的Inheritable Capability Sets 一起作用(位与)以决定新的进程的Permitted capability Sets

Capability BoundSet
    Capability BoundSet是进程的属性
    是进程自己为自己设定的安全围栏(Capability Sets) , 
        限制可执行文件的Permitted Capability Sets仅有局部能转化的Permitted Capability Sets
    Capability BoundSet能被子进程继承
    Init进程默认Capability BoundSet为全1

Spawn进程的Capability
    P'子进程  P父进程  F子进程运行起来的执行文件

    P'(permitted) = (P(inheritable)&F(inheritable))|(F(permitted)&cap_bset)
    P'(effective) = F(effective)?P'(permitted):0
    P'(inheritable) = P(inheritable)
坚持原创技术分享,您的支持将鼓励我继续创作!