The ability to change the persona of a process can be a source of unintentional privacy violations, or even intentional abuse. Because of the potential for problems, changing persona is restricted to special circumstances.
You can’t arbitrarily set your user ID or group ID to anything you want; only privileged processes can do that. Instead, the normal way for a program to change its persona is that it has been set up in advance to change to a particular user or group. This is the function of the setuid and setgid bits of a file’s access mode. See The Mode Bits for Access Permission.
When the setuid bit of an executable file is on, executing that file gives the process a third user ID: the file user ID. This ID is set to the owner ID of the file. The system then changes the effective user ID to the file user ID. The real user ID remains as it was. Likewise, if the setgid bit is on, the process is given a file group ID equal to the group ID of the file, and its effective group ID is changed to the file group ID.
If a process has a file ID (user or group), then it can at any time change its effective ID to its real ID and back to its file ID. Programs use this feature to relinquish their special privileges except when they actually need them. This makes it less likely that they can be tricked into doing something inappropriate with their privileges.
Portability Note: Older systems do not have file IDs.
To determine if a system has this feature, you can test the compiler
define _POSIX_SAVED_IDS
. (In the POSIX standard, file IDs are
known as saved IDs.)
See File Attributes, for a more general discussion of file modes and accessibility.