Privileged processes

For the purpose of our discussion, a privileged process may belong to one of the following three categories:

interactive:

This is a generic process started by the system administrator. Both the User IDentifier (UID) and the Effective User IDentifier (EUID) are equal to 0. It does not make much sense to monitor such processes, since any user able to start them has the full control of the system. However we must prevent a privileged process from migrating to this category if it was started in a different one.

background:

This is, usually, either a daemon process started at boot time or a process started periodically by the cron daemon on root behalf. Following [Stevens] and [Comer] we assume that such processes never need a control terminal. To distinguish them within the kernel, we resort to the following check:

!((proc)->euid)&&((proc)->tty==NULL)

Here, the first logical clause checks whether the process runs with root privileges (EUID=0) whereas the second one checks whether the process has a controlling terminal. We block any attempt made by these processes to re-acquire a control terminal. Note that a daemon can still open a terminal device (e.g. /dev/tty or /dev/console) to log error messages.

setuid:

When a program with setuid access mode is executed, the effective UID of the process is set equal to the UID of the program file owner. As a consequence, the access to files and system resources is carried on with the identity of the owner of the program file. This is the standard UNIX mechanism to grant ordinary users with special privileges on a temporary basis. A process can be identified as setuid to root (EUID=0) by means of the following simple check:

 !((proc)->euid)&&(proc)->uid

Note that a setuid process started by the user root has UID=0. For this special case the same considerations made for an interactive root process apply.