The Linux Security Journey — RUID (Real User ID)

RUID stands for “Real UserID”, which is the user who initiated a specific operation (https://linuxhint.com/difference-between-real-effective-user-id-in-linux-os/). Thus, we can say that it is basically the UID (https://medium.com/@boutnaru/the-linux-security-journey-uid-user-identifier-2f11bcf90ee8) of the user that started the specific task/process (https://www.geeksforgeeks.org/real-effective-and-saved-userid-in-linux/).

Overall, RUID is the “uid” field of the Linux’s “struct cred” data structure (https://elixir.bootlin.com/linux/v6.5.8/source/include/linux/cred.h#L119). This information is also included as part of the “Auxiliary Vector” (https://medium.com/@boutnaru/linux-the-auxiliary-vector-auxv-cba527871b50) in the “AT_UID” entry (https://elixir.bootlin.com/linux/v6.5.8/source/include/uapi/linux/auxvec.h#L20).

Moreover, there could be specific syscalls that use only the real uid/group id (and not the effective uid — which I am going to detail about in a future writeup), one example of that is access (https://elixir.bootlin.com/linux/v6.5.8/source/fs/open.c#L368).

Lastly, another example of usage is by the “passwd” command line utility (https://man7.org/linux/man-pages/man1/passwd.1.html). When executing it gets the permissions of the root user. However, due to the fact the “real uid” is not changed by using a “suid bit” (https://medium.com/@boutnaru/linux-security-suid-bit-d4f553e7d99e) we can’t change the password of a user which is not us (unless we are the “root” user) — as shown in the screenshot below.