5

I need to write some C code to check the effective GID of a running process whose PID I know. I've not found any direct way to do this. There are a number of heavyweight kludges I could use, such as invoking popen("/bin/ps ARGS", "r") and parsing its output, or fopen("/proc/PID/status", "r") and parsing that output, but I'm looking for a cleaner, more direct approach. If only getegid() took a PID argument...

slm
  • 363,520
  • 117
  • 767
  • 871
BobDoolittle
  • 1,607
  • 15
  • 26
  • Isn't this what you want? http://pubs.opengroup.org/onlinepubs/009695399/functions/getpgid.html – slm Jul 02 '14 at 23:17
  • @slm No, `getpgid` concerns the PGID = process group ID, which is a parameter related to job control and not related to the security credentials UID/EUID/GID/EGID – Celada Jul 03 '14 at 01:54
  • OK - sorry to keep throwing links to you but what about this code: http://c.happycodings.com/c-on-unix/code12.html – slm Jul 03 '14 at 01:59
  • @slm The OP already mentioned `getegid()` and that system call is only able to give you your *own* GID, not that of another process. Too bad about that :-( – Celada Jul 03 '14 at 02:12

2 Answers2

3

I don't know of any portable way to do this. I thought maybe ptrace(), but I can't see how from the manpage. Even if that works, "tracing" the other process in any way is probably unnecessarily invasive

For Linux, your suggestion to use fopen("/proc/PID/status", "r") is about as clean and direct as you're going to get. It seems to be what gdb does.

Celada
  • 43,173
  • 5
  • 96
  • 105
  • It seems crazy to parse multiple lines of a text file to do a simple thing like this, but this is what I was afraid of. Thanks. – BobDoolittle Jul 03 '14 at 13:39
  • 2
    You can also do `stat("/proc/nnn", &stb)`; the process's effective gid will be in `stb.st_gid`. This is simultaneously more portable (it works on Linux and FreeBSD) and less portable (it's not documented). – Mark Plotnick Jul 06 '14 at 04:41
  • 1
    @MarkPlotnick great idea, I didn't think of that. – Celada Jul 15 '14 at 22:08
  • @MarkPlotnick That *is* a great idea! Somehow I never saw it when you made this comment. Can you make it an actual answer so I can mark it as such for others? – BobDoolittle Jan 01 '17 at 20:08
1

This appears to be a very popular question, so I want to make the answer very clear. @MarkPlotnick gave the best answer, as a comment to the previous (pretty good) answer, but we haven't gotten his attention to repost it so I can accept it as a proper answer and help people out. So, with apologies to Mark:

Mark Plotnick says: You can also do stat("/proc/nnn", &stb); the process's effective gid will be in stb.st_gid. This is simultaneously more portable (it works on Linux and FreeBSD) and less portable (it's not documented).

Thanks Mark!

BobDoolittle
  • 1,607
  • 15
  • 26
  • `stat` is good. Still doesn't give additional groups. Or I can't see that. – akostadinov Dec 08 '20 at 20:32
  • There are two separate issues here. A process has only one GID. Perhaps you are thinking of how a user can type "groups" and see multiple group memberships. That mechanism is unrelated. – BobDoolittle Dec 15 '20 at 23:28
  • I was looking for a way to see all group permissions a process has, when I found this question. So it depends on lurker's needs whether it is related or not ;) btw I have upvoted your answer which is good. I am merely pointing out a limitation of this method. – akostadinov Dec 17 '20 at 08:01
  • @akostadinov It is a common confusion that people expect a process can belong to multiple groups. It can't. A process belongs to a single group. Users can belong to multiple groups, and files can have permissions for multiple groups, but processes can't. – BobDoolittle Jan 07 '21 at 23:30
  • 1
    Here's a reasonable description of how groups work: https://jvns.ca/blog/2017/11/20/groups/ Ignore the first section. For some reason the blogger decided to start describing groups incorrectly and then correct it. Not helpful. – BobDoolittle Jan 07 '21 at 23:46
  • Your last comment (very useful) contradicts your previous one. In the blog is described that supplementary groups are also attributed to the process. Otherwise there would be no way to access files based on supplementary group permissions from my shell. – akostadinov Jan 08 '21 at 01:15
  • A process can only have a single GID and a single effective GID (which was what the OP asked about). Those are very specific concepts and data structures in Unix/Linux. But you can have supplementary groups, which provide the behavior you observe. – BobDoolittle Mar 25 '21 at 22:19