User and Group Privileges

 Each process has some form of associated Process Identifier, (PID) through which it may be manipulated. The process also carries the User Identifier (UID) of the person who initiated the process and will also have group identifier (GID).

 The UID is used to decide privilege to perform operations on resources such as files. Processes will normally belong to one or more process groups. A group identifier (GID) is used by the kernel to identify privileges allocated to a group of users and hence their created processes. Groups allow subsets of the available privileged operations (such as granting of access to files, printers, ability to create directories) to be restricted to members of a particular group only, with non members of the group being excluded from performing those operations.


Linux   Windows NT
On a Unix derivative system such as Linux the PID, UID and GID identifiers equate to simple integers which are associated with processors as part of their Process Control Block.   A process handle is used for the process identifier. A process handle is a special case of an Object handle, where object handles may reference files, devices and processes. 


On Unix processes maintain a parent-child relationship where the process that initiates a sub process becomes a parent to it?s child via a fork and optional exec operation to first clone the parent process and then replace it with a new executable process image. Due to this relationship it is possible to terminate all child processes by sending a KILL signal to the parent. All of the processes in the system are accessed via a doubly linked list whose root is the init process?s task_struct data structure. 


  Windows NT processes do not maintain a parent-child relationship. Instead a process maintains an Object table to hold handles of other processes.  


When a new process is created it inherits all object handles from its creator that were previously marked with the inheritance attribute.  


Access to resources is decided as a result of the combination of resource defined permissions and a combination of the UID, GID (or effective UID and GID) under which a process is running. The owner of a resource or the administrator may grant access to a user or group of users.   The NT Object Manager attaches an access token to a process which is checked against a resource's permissions to decide what granted access rights the process is allowed. The owner of a resource or the administrator may grant access permissions to a user or group of users.

Example : a Linux device may be allocated the bitmask permissions of crwxr-x---, may be owned by the root user (UID=0) and be allocated to the admin group. The allocated permissions of the device indicate that a process operating for the root user will have read, write and execute permissions on the device. A process operating with an effective GID of the admin group will have read and execute permissions, with other users being prevented from carrying out any operations on the device.