d9fecc83c8
somewhat clearer, but more importantly allows for a consistent naming scheme for suser_cred flags. The old name is still defined, but will be removed in a few days (unless I hear any complaints...) Discussed with: rwatson, scottl Requested by: jhb
133 lines
4.1 KiB
Groff
133 lines
4.1 KiB
Groff
.\"
|
|
.\" Copyright (c) 1996 Julian R Elischer
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed by Kenneth Stailey.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed for the FreeBSD Project
|
|
.\" by Julian R Elischer
|
|
.\" 4. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd April 2, 2002
|
|
.Dt SUSER 9
|
|
.Os
|
|
.Sh NAME
|
|
.Nm suser ,
|
|
.Nm suser_cred
|
|
.Nd check if credentials have superuser privilege
|
|
.Sh SYNOPSIS
|
|
.In sys/param.h
|
|
.In sys/systm.h
|
|
.Ft int
|
|
.Fn suser "struct thread *td"
|
|
.Ft int
|
|
.Fn suser_cred "struct ucred *cred" "int flag"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn suser
|
|
and
|
|
.Fn suser_cred
|
|
functions check if the credentials given include superuser powers.
|
|
.Pp
|
|
The
|
|
.Fn suser
|
|
function is the most common, and should be used unless special
|
|
circumstances dictate otherwise.
|
|
.Pp
|
|
The
|
|
.Fn suser_cred
|
|
function should be used when the credentials to be checked are
|
|
not the thread's own, when there is no thread, when superuser
|
|
powers should be extended to imprisoned roots, or when the credential
|
|
to be checked is the real user rather than the effective user.
|
|
.Pp
|
|
By default, a process does not command superuser powers if it has
|
|
been imprisoned by the
|
|
.Xr jail 2
|
|
system call.
|
|
There are cases however where this is appropriate, and this can
|
|
be done by passing
|
|
.Dv SUSER_ALLOWJAIL
|
|
in the
|
|
.Fa flag
|
|
argument to the
|
|
.Fn suser_cred
|
|
function.
|
|
It is important to review carefully in each case that
|
|
this does not weaken the prison.
|
|
Generally, only where the action is protected by
|
|
.Xr chroot 2
|
|
implicit in the
|
|
.Xr jail 2
|
|
call should such powers be granted.
|
|
.Pp
|
|
By default, the credential checked is the effective user. There are cases
|
|
where it is instead necessary to check the real user (for example, when
|
|
determining if resource limits should be applied), and this can be done
|
|
by passing the
|
|
.Dv SUSER_RUID
|
|
flag in the
|
|
.Fa flag
|
|
argument to the
|
|
.Fn suser_cred
|
|
function.
|
|
.Pp
|
|
The
|
|
.Fn suser
|
|
and
|
|
.Fn suser_cred
|
|
functions note the fact that superuser powers have been used in the
|
|
process structure of the process specified.
|
|
Because part of their function is to notice
|
|
whether superuser powers have been used,
|
|
the functions should only be called after other permission
|
|
possibilities have been exhausted.
|
|
.Sh RETURN VALUES
|
|
The
|
|
.Fn suser
|
|
and
|
|
.Fn suser_cred
|
|
functions return 0 if the user has superuser powers and
|
|
.Er EPERM
|
|
otherwise.
|
|
This is the
|
|
.Em reverse logic
|
|
of some other implementations of
|
|
.Fn suser
|
|
in which a TRUE response indicates superuser powers.
|
|
.Sh SEE ALSO
|
|
.Xr chroot 2 ,
|
|
.Xr jail 2
|
|
.Sh BUGS
|
|
The
|
|
.Fn suser
|
|
and
|
|
.Fn suser_cred
|
|
functions don't, in fact, record that superuser privileges have been
|
|
used, and haven't done so since August 2000.
|