1994-05-27 05:00:24 +00:00
|
|
|
.\" Copyright (c) 1983, 1991, 1993
|
|
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" @(#)setuid.2 8.1 (Berkeley) 6/4/93
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1994-05-27 05:00:24 +00:00
|
|
|
.\"
|
2015-12-15 15:08:29 +00:00
|
|
|
.Dd December 15, 2015
|
1994-05-27 05:00:24 +00:00
|
|
|
.Dt SETUID 2
|
2001-07-10 13:41:46 +00:00
|
|
|
.Os
|
1994-05-27 05:00:24 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm setuid ,
|
|
|
|
.Nm seteuid ,
|
|
|
|
.Nm setgid ,
|
2004-07-05 17:12:53 +00:00
|
|
|
.Nm setegid
|
1994-05-27 05:00:24 +00:00
|
|
|
.Nd set user and group ID
|
2000-04-21 09:42:15 +00:00
|
|
|
.Sh LIBRARY
|
|
|
|
.Lb libc
|
1994-05-27 05:00:24 +00:00
|
|
|
.Sh SYNOPSIS
|
2001-10-01 16:09:29 +00:00
|
|
|
.In unistd.h
|
1994-05-27 05:00:24 +00:00
|
|
|
.Ft int
|
|
|
|
.Fn setuid "uid_t uid"
|
|
|
|
.Ft int
|
|
|
|
.Fn seteuid "uid_t euid"
|
|
|
|
.Ft int
|
|
|
|
.Fn setgid "gid_t gid"
|
|
|
|
.Ft int
|
|
|
|
.Fn setegid "gid_t egid"
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Fn setuid
|
2002-12-18 09:22:32 +00:00
|
|
|
system call
|
1994-05-27 05:00:24 +00:00
|
|
|
sets the real and effective
|
|
|
|
user IDs and the saved set-user-ID of the current process
|
|
|
|
to the specified value.
|
1996-09-03 11:32:01 +00:00
|
|
|
.\" Comment out next block for !_POSIX_SAVED_IDS
|
1996-12-06 22:53:52 +00:00
|
|
|
.\" The real user ID and the saved set-user-ID are changed only if the
|
|
|
|
.\" effective user ID is that of the super user.
|
|
|
|
.\" I.e.
|
|
|
|
.\" .Fn setuid
|
2002-12-18 09:22:32 +00:00
|
|
|
.\" system call is equal to
|
1996-12-06 22:53:52 +00:00
|
|
|
.\" .Fn seteuid
|
2002-12-18 09:22:32 +00:00
|
|
|
.\" system call if the effective user ID is not that of the super user.
|
1996-09-03 11:32:01 +00:00
|
|
|
.\" End of block
|
1994-05-27 05:00:24 +00:00
|
|
|
The
|
|
|
|
.Fn setuid
|
2002-12-18 09:22:32 +00:00
|
|
|
system call is permitted if the specified ID is equal to the real user ID
|
1996-09-01 22:42:13 +00:00
|
|
|
.\" Comment out next line for !_POSIX_SAVED_IDS
|
1996-12-06 22:53:52 +00:00
|
|
|
.\" or the saved set-user-ID
|
1997-04-02 17:24:16 +00:00
|
|
|
.\" Next line is for Appendix B.4.2.2 case.
|
|
|
|
or the effective user ID
|
1994-05-27 05:00:24 +00:00
|
|
|
of the process, or if the effective user ID is that of the super user.
|
|
|
|
.Pp
|
|
|
|
The
|
|
|
|
.Fn setgid
|
2002-12-18 09:22:32 +00:00
|
|
|
system call
|
1994-05-27 05:00:24 +00:00
|
|
|
sets the real and effective
|
|
|
|
group IDs and the saved set-group-ID of the current process
|
|
|
|
to the specified value.
|
1996-09-03 11:32:01 +00:00
|
|
|
.\" Comment out next block for !_POSIX_SAVED_IDS
|
1996-12-06 22:53:52 +00:00
|
|
|
.\" The real group ID and the saved set-group-ID are changed only if the
|
|
|
|
.\" effective user ID is that of the super user.
|
|
|
|
.\" I.e.
|
|
|
|
.\" .Fn setgid
|
2002-12-18 09:22:32 +00:00
|
|
|
.\" system call is equal to
|
1996-12-06 22:53:52 +00:00
|
|
|
.\" .Fn setegid
|
2002-12-18 09:22:32 +00:00
|
|
|
.\" system call if the effective user ID is not that of the super user.
|
1996-09-03 11:32:01 +00:00
|
|
|
.\" End of block
|
1994-05-27 05:00:24 +00:00
|
|
|
The
|
|
|
|
.Fn setgid
|
2002-12-18 09:22:32 +00:00
|
|
|
system call is permitted if the specified ID is equal to the real group ID
|
1996-09-01 22:42:13 +00:00
|
|
|
.\" Comment out next line for !_POSIX_SAVED_IDS
|
1998-06-04 21:06:07 +00:00
|
|
|
.\" or the saved set-group-ID
|
1997-04-02 17:24:16 +00:00
|
|
|
.\" Next line is for Appendix B.4.2.2 case.
|
|
|
|
or the effective group ID
|
1994-05-27 05:00:24 +00:00
|
|
|
of the process, or if the effective user ID is that of the super user.
|
|
|
|
.Pp
|
|
|
|
The
|
|
|
|
.Fn seteuid
|
2002-12-18 09:22:32 +00:00
|
|
|
system call
|
1994-05-27 05:00:24 +00:00
|
|
|
.Pq Fn setegid
|
|
|
|
sets the effective user ID (group ID) of the
|
|
|
|
current process.
|
|
|
|
The effective user ID may be set to the value
|
|
|
|
of the real user ID or the saved set-user-ID (see
|
|
|
|
.Xr intro 2
|
|
|
|
and
|
|
|
|
.Xr execve 2 ) ;
|
|
|
|
in this way, the effective user ID of a set-user-ID executable
|
|
|
|
may be toggled by switching to the real user ID, then re-enabled
|
|
|
|
by reverting to the set-user-ID value.
|
|
|
|
Similarly, the effective group ID may be set to the value
|
2003-01-07 05:06:27 +00:00
|
|
|
of the real group ID or the saved set-group-ID.
|
1994-05-27 05:00:24 +00:00
|
|
|
.Sh RETURN VALUES
|
2001-08-31 09:57:38 +00:00
|
|
|
.Rv -std
|
|
|
|
.Sh ERRORS
|
2002-12-18 09:22:32 +00:00
|
|
|
The system calls will fail if:
|
2001-08-31 09:57:38 +00:00
|
|
|
.Bl -tag -width Er
|
|
|
|
.It Bq Er EPERM
|
|
|
|
The user is not the super user and the ID
|
|
|
|
specified is not the real, effective ID, or saved ID.
|
|
|
|
.El
|
1994-05-27 05:00:24 +00:00
|
|
|
.Sh SEE ALSO
|
1997-01-20 23:23:22 +00:00
|
|
|
.Xr getgid 2 ,
|
1997-04-01 18:58:38 +00:00
|
|
|
.Xr getuid 2 ,
|
|
|
|
.Xr issetugid 2 ,
|
|
|
|
.Xr setregid 2 ,
|
|
|
|
.Xr setreuid 2
|
1994-05-27 05:00:24 +00:00
|
|
|
.Sh STANDARDS
|
|
|
|
The
|
|
|
|
.Fn setuid
|
|
|
|
and
|
|
|
|
.Fn setgid
|
2002-12-18 09:22:32 +00:00
|
|
|
system calls are compliant with the
|
1996-12-02 20:03:58 +00:00
|
|
|
.St -p1003.1-90
|
1994-05-27 05:00:24 +00:00
|
|
|
specification with
|
|
|
|
.Li _POSIX_SAVED_IDS
|
1996-09-01 22:42:13 +00:00
|
|
|
.\" Uncomment next line for !_POSIX_SAVED_IDS
|
1996-12-06 22:53:52 +00:00
|
|
|
not
|
1997-04-02 17:24:16 +00:00
|
|
|
defined with the permitted extensions from Appendix B.4.2.2.
|
1994-05-27 05:00:24 +00:00
|
|
|
The
|
|
|
|
.Fn seteuid
|
|
|
|
and
|
|
|
|
.Fn setegid
|
2002-12-18 09:22:32 +00:00
|
|
|
system calls are extensions based on the
|
1994-05-27 05:00:24 +00:00
|
|
|
.Tn POSIX
|
|
|
|
concept of
|
|
|
|
.Li _POSIX_SAVED_IDS ,
|
|
|
|
and have been proposed for a future revision of the standard.
|
1996-08-29 21:24:19 +00:00
|
|
|
.Sh HISTORY
|
2002-12-18 09:22:32 +00:00
|
|
|
The
|
1996-08-29 21:24:19 +00:00
|
|
|
.Fn setuid
|
2002-12-18 09:22:32 +00:00
|
|
|
and
|
1996-12-06 22:53:52 +00:00
|
|
|
.Fn setgid
|
2002-12-18 09:22:32 +00:00
|
|
|
functions appeared in
|
1996-08-29 21:24:19 +00:00
|
|
|
.At v7 .
|
2010-05-13 12:07:55 +00:00
|
|
|
.Sh SECURITY CONSIDERATIONS
|
|
|
|
Read and write permissions to files are determined upon a call to
|
|
|
|
.Xr open 2 .
|
|
|
|
Once a file descriptor is open, dropping privilege does not affect
|
|
|
|
the process's read/write permissions, even if the user ID specified
|
|
|
|
has no read or write permissions to the file.
|
|
|
|
These files normally remain open in any new process executed,
|
|
|
|
resulting in a user being able to read or modify
|
|
|
|
potentially sensitive data.
|
|
|
|
.Pp
|
|
|
|
To prevent these files from remaining open after an
|
|
|
|
.Xr exec 3
|
2012-01-15 20:14:52 +00:00
|
|
|
call, be sure to set the close-on-exec flag:
|
2010-05-13 12:07:55 +00:00
|
|
|
.Bd -literal
|
|
|
|
void
|
|
|
|
pseudocode(void)
|
|
|
|
{
|
|
|
|
int fd;
|
|
|
|
/* ... */
|
|
|
|
|
2015-09-13 14:00:49 +00:00
|
|
|
fd = open("/path/to/sensitive/data", O_RDWR | O_CLOEXEC);
|
2010-05-13 12:07:55 +00:00
|
|
|
if (fd == -1)
|
|
|
|
err(1, "open");
|
|
|
|
|
|
|
|
/* ... */
|
|
|
|
execve(path, argv, environ);
|
|
|
|
}
|
|
|
|
.Ed
|