One of the key security features of Linux operating systems is identifiers. Identifiers are integers that are assigned to users, processes, or groups. They can restrict or permit access to services. In this article, we’ll discuss the different identifiers and their functions.
2. What Are UIDs?
A user identifier or UID is a value the system uses to distinguish user accounts from each other. Additionally, UIDs specify the privileges of a user, such as the files and directory a user can access. A UID can determine whether a user is an owner of a process. This is important because only the owner of a process can emit process signals to it. When the value of the UID is 0, that means it is the root user.
We can view the UIDs in the passwd file, which resides in the /etc folder:
$ cat /etc/passwd |head root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin ...
The first field is the name of the user, while the third field is the user’s respective UID. There are four different types of UIDs, namely:
- Real User Identifer or RUID
- Effective User Identifer or EUID
- Saved User Identifer or SUID
- File System User Identifier or FSUID
2.1. What Is an RUID?
An RUID discerns the real owner of a process. Moreover, every process owned by a user will have the same RUID.
2.2. What Is a EUID?
When a user requires super privileges to perform a task, the kernel will have a look at the EUID to see if this is possible. Initially, the value of the EUID is the same as the value of the RUID. However, the value of the EUID can change. Certain programs such as sudo are known as setuid binaries. These programs temporarily change the EUID to 0 so that the user has super privileges.
2.3. What Is a SUID?
When a user is running some privileged tasks but needs to temporarily perform unprivileged tasks, the value of the EUID has to change. But, the kernel needs to store the previous value of the EUID somewhere. That is where the SUID comes in. When the user needs to perform privileged tasks again, its EUID will change to the privileged value stored in the SUID.
2.4. What Is an FSUID?
This identifier is usually the same as a EUID unless it is explicitly set. The FSUID is strictly for access checks to the filesystem. The FSUID exists solely for programs such as the NFS server. Furthermore, any other program that doesn’t need filesystem rights won’t have its FSUID changed.
3. What Are GIDs?
Similarly, a group identifier or GID is a number that systems use to distinguish groups from each other. Just like UIDs, the first 100 GIDs are system-related. We can view the GIDs using the group file in the /etc folder:
$ cat /etc/group |head root:x:0: bin:x:1: daemon:x:2: sys:x:3: ...
The first field is the name of the group, while the third field is the group’s respective GID. Furthermore, processes have real (RGID), effective (EGID), saved (SGID), and file system (FSGID) identifiers. These are identical to the various UIDs except, in this case, the identifier applies to groups and not users.
4. What Are PIDs?
Process identifiers (PIDs) are unique values that are automatically assigned to processes on a Linux system. PIDs start from 0. The process that has the id 0 is part of the kernel and is not regarded as a normal user-mode process.
The process with the ID of the value 1 is the init process. The init process is the first process that is sprung up when a system starts. There is a maximum limit for the number of processes a system can have. Usually, this depends on the memory capacity of the system.
We can view the maximum number of processes on the pid_max file:
$ cat /proc/sys/kernel/pid_max 4194304
4.1. What Is a PPID?
A program can spin up various processes to complete a task. The processes that are created are called child processes. The parent process is responsible for creating child processes. The parent process identifier (PPID) is the PID of the parent process. Child processes have their own PID but will have the same PPID if they share the same parent. Let’s view the top 5 processes on our system and see what process owns them:
$ ps -eo pid,ppid,cmd |head PID PPID CMD 1 0 /usr/lib/systemd/systemd --switched-root --system --deserialize 18 2 0 [kthreadd] 3 2 [rcu_gp] 4 2 [rcu_par_gp] 6 2 [kworker/0:0H-events_highpri] ...
4.2. What Is a PGID?
A process group identifier or PGID is a number that distinguishes process groups. A process group is a collection of processes. We need process groups because they allow the system to keep track of which processes are working together. Let’s spin up a new process by opening a browser on our system:
$ ps -eo pid,ppid,pgid,cmd ... 3127 1 2414 /usr/lib64/firefox/firefox 3189 3127 2414 /usr/lib64/firefox/firefox -contentproc -parentB 3308 3127 2414 /usr/lib64/firefox/firefox -contentproc -childID 3378 3127 2414 /usr/lib64/firefox/firefox -contentproc -childID 3492 3127 2414 /usr/lib64/firefox/firefox -contentproc -childID ...
We see that the process that has the PID of 3127 has many child processes. The parent process and its children all have the same PGID of 2414. Upon further investigation, we see that the process with the PID 2414 is the GNOME Display Manager (GDM). The GDM is responsible for the graphical display on our system:
$ ps -eo pid,cmd |grep 2414 2414 /usr/libexec/gdm-x-session --register-session --run-script env GNOME_SHELL_SESSION_MODE=classic gnome-session --session gnome-classic 3802 grep --color=auto 2414
5. What Are Session IDs?
Similarly, a session is a collection of process groups. A session ID has the same value as the session leader. The session leader is the first member of the session. All processes that are spun up during a specific login process will be members of the same session:
$ ps -eo pid,ppid,sid,cmd ... 4521 4203 2414 /usr/lib64/firefox/firefox -contentproc -childID 3 4595 4203 2414 /usr/lib64/firefox/firefox -contentproc -childID 5 4688 4203 2414 /usr/lib64/firefox/firefox -contentproc -childID 6 4725 4203 2414 /usr/lib64/firefox/firefox -contentproc -parentBuildID ...
We see that the SID of the various processes associated with our browser has the same value as the GDM process. Therefore, the system can kill all processes belonging to a session once we log off the system.
6. What Are TIDs?
A process can have several threads. A thread is a lightweight process. A process can do more than one unit of work simultaneously by using threads. A thread ID or TID is a value the system assigns to a thread. When a process has a single thread doing the job, the TID will have the same value as the PID of the process it belongs to.
In summary, we use identifiers to distinguish users, groups, and processes. Furthermore, processes exist within a process group, and process groups exist in a session. Additionally, processes have sub-processes called threads which assist in completing tasks simultaneously. These must all have their own corresponding IDs. Identifiers ensure that the system manages users, processes, and groups efficiently.