From 880f5b4bc39386da3a4315644519bd7b5c438d6c Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Mon, 18 Jul 2005 14:25:42 +0000 Subject: [PATCH] Consistent use of "set-user-ID" and "set-group-ID". --- Changes | 12 +++++++++++- man1/chmod.1 | 12 +++++++----- man1/cp.1 | 6 +++--- man1/ls.1 | 8 ++++---- man1/mv.1 | 5 +++-- man2/access.2 | 3 ++- man2/execve.2 | 4 ++-- man2/fcntl.2 | 2 +- man2/mount.2 | 12 ++++++------ man2/prctl.2 | 4 ++-- man2/ptrace.2 | 5 +++-- man2/setgid.2 | 3 ++- man2/setuid.2 | 6 +++--- man2/statvfs.2 | 2 +- man2/truncate.2 | 3 ++- man3/dlopen.3 | 4 ++-- man3/getlogin.3 | 2 +- man3/grantpt.3 | 2 +- man3/system.3 | 6 +++--- man3/tempnam.3 | 2 +- man7/capabilities.7 | 8 ++++---- man7/pthreads.7 | 2 +- man8/ld.so.8 | 15 ++++++++------- 23 files changed, 73 insertions(+), 55 deletions(-) diff --git a/Changes b/Changes index e32a37dcb..99668b3c9 100644 --- a/Changes +++ b/Changes @@ -8,14 +8,18 @@ Contributors The following people contributed notes, ideas, or patches that have been incorporated in changes in this release: -### Andries Brouwer +Andries Brouwer ### Joey (Martin) Schulze +Mike Frysinger Apologies if I missed anyone! Global changes -------------- +The terms "set-user-ID" and "set-group-ID" are now used consistently +(no abbreviations) accorss all manual pages. + Typographical or grammatical errors have been corrected in several places. @@ -27,3 +31,9 @@ New pages Changes to individual pages --------------------------- + +stat.2 + Mike Frysinger + Improve description of st_dev and st_rdev. + mtk + Various wording and formatting improvements. diff --git a/man1/chmod.1 b/man1/chmod.1 index 4f047aad7..052b50742 100644 --- a/man1/chmod.1 +++ b/man1/chmod.1 @@ -56,8 +56,8 @@ sticky bit (t), the permissions that the user who owns the file currently has for it (u), the permissions that other users in the file's group have for it (g), and the permissions that other users not in the file's group have for it (o). -(Thus, `chmod g\-s file' removes the set-group-ID (sgid) bit, -\&`chmod ug+s file' sets both the suid and sgid bits, while +(Thus, `chmod g\-s file' removes the set-group-ID bit, +\&`chmod ug+s file' sets both the set-user-ID and set-group-ID bits, while \&`chmod o+s file' does nothing.) .PP The name of the `sticky bit' derives from the original meaning: @@ -133,7 +133,7 @@ usual meaning. POSIX 1003.2 only requires the \-R option. Use of other options may not be portable. This standard does not describe the 't' permission bit. This standard does not specify whether \fBchmod\fP must preserve -consistency by clearing or refusing to set the suid and sgid +consistency by clearing or refusing to set the set-user-ID and set-group-ID bits, e.g., when all execute bits are cleared, or whether \fBchmod\fP honors the `s' bit at all. .SH "NONSTANDARD MODES" @@ -142,8 +142,10 @@ Various systems attach special meanings to otherwise meaningless combinations of mode bits. In particular, Linux, following System V (see System V Interface Definition (SVID) Version 3), -lets the sgid bit for files without group execute permission -mark the file for mandatory locking. For more details, see +uses the combination of having the set-group-ID bit enabled +while group execute bit is disabled to mean that +mandatory locking is enabled for the file. +For more details, see the file .IR /usr/src/linux/Documentation/mandatory.txt . .SH NOTES diff --git a/man1/cp.1 b/man1/cp.1 index 8586af043..a1d00a24f 100644 --- a/man1/cp.1 +++ b/man1/cp.1 @@ -86,10 +86,10 @@ Only copy upon an affirmative answer.) .TP .B \-p Preserve the original files' owner, group, permissions -(including the setuid and setgid bits), time of last modification +(including the set-user-ID and set-group-ID bits), time of last modification and time of last access. -In case duplication of owner or group fails, the setuid and setgid -bits are cleared. +In case duplication of owner or group fails, +the set-user-ID and set-group-ID bits are cleared. (Note that afterwards source and copy may well have different times of last access, since the copy operation is an access to the source file.) diff --git a/man1/ls.1 b/man1/ls.1 index 3cc71fcaf..b25e5e951 100644 --- a/man1/ls.1 +++ b/man1/ls.1 @@ -222,12 +222,12 @@ combines multiple bits into the third character of each set of permissions .RS .TP .B s -If the setuid or setgid bit and the corresponding executable bit are -both set. +If the set-user-ID or set-group-ID bit and the corresponding +executable bit are both set. .TP .B S -If the setuid or setgid bit is set but the corresponding executable bit -is not set. +If the set-user-ID or set-group-ID bit is set +but the corresponding executable bit is not set. .TP .B t If the sticky bit and the other-executable bit are both set. diff --git a/man1/mv.1 b/man1/mv.1 index dd812a801..97c97f5a8 100644 --- a/man1/mv.1 +++ b/man1/mv.1 @@ -56,8 +56,9 @@ When they are on different filesystems, the source file is copied and then deleted. .B mv will copy modification time, access time, user and group ID, and mode -if possible. When copying user and/or group ID fails, the setuid and -setgid bits are cleared in the copy. +if possible. +When copying user and/or group ID fails, the set-user-ID and +set-group-ID bits are cleared in the copy. .SH "POSIX OPTIONS" .TP .B "\-f" diff --git a/man2/access.2 b/man2/access.2 index 66bbf55be..d25799007 100644 --- a/man2/access.2 +++ b/man2/access.2 @@ -77,7 +77,8 @@ links encountered on the way. The check is done with the process's .I real UID and GID, rather than with the effective IDs as is done when -actually attempting an operation. This is to allow set-UID programs to +actually attempting an operation. +This is to allow set-user-ID programs to easily determine the invoking user's authority. Only access bits are checked, not the file type or contents. Therefore, if diff --git a/man2/execve.2 b/man2/execve.2 index 4f4d092e2..d512939cd 100644 --- a/man2/execve.2 +++ b/man2/execve.2 @@ -64,10 +64,10 @@ The SIGCHLD signal (when set to SIG_IGN) may or may not be reset to SIG_DFL. If the current program is being ptraced, a \fBSIGTRAP\fP is sent to it after a successful \fBexecve()\fP. -If the set-uid bit is set on the program file pointed to by +If the set-user-ID bit is set on the program file pointed to by \fIfilename\fP, and the calling process is not being ptraced, then the effective user ID of the calling process is changed -to that of the owner of the program file. Similarly, when the set-gid +to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file. diff --git a/man2/fcntl.2 b/man2/fcntl.2 index 838b88cf2..4a1c98417 100644 --- a/man2/fcntl.2 +++ b/man2/fcntl.2 @@ -335,7 +335,7 @@ To make use of mandatory locks, mandatory locking must be enabled .BR mount (8)) for the file system containing the file to be locked and enabled on the file itself (by disabling -group execute permission on the file and enabling the set-GID +group execute permission on the file and enabling the set-group-ID permission bit). Advisory locks are not enforced and are useful only between diff --git a/man2/mount.2 b/man2/mount.2 index e5d746da9..8c98da9c0 100644 --- a/man2/mount.2 +++ b/man2/mount.2 @@ -138,10 +138,10 @@ Do not allow programs to be executed from this file system. .\" users cannot execute files uploaded using ftp or so.) .TP .B MS_NOSUID -Do not honour set-UID and set-GID bits when executing +Do not honour set-user-ID and set-group-ID bits when executing programs from this file system. -.\" (This is a security feature to prevent users executing set-UID and -.\" set-GID programs from removable disk devices.) +.\" (This is a security feature to prevent users executing set-user-ID and +.\" set-group-ID programs from removable disk devices.) .TP .B MS_RDONLY Mount file system read-only. @@ -348,13 +348,13 @@ in more than one place, so specifying the device does not suffice). The original MS_SYNC flag was renamed MS_SYNCHRONOUS in 1.1.69 when a different MS_SYNC was added to . .LP -Before Linux 2.4 an attempt to execute a set-UID or set-GID program +Before Linux 2.4 an attempt to execute a set-user-ID or set-group-ID program on a filesystem mounted with .B MS_NOSUID would fail with .BR EPERM . -Since Linux 2.4 the set-UID and set-GID bits are just silently ignored -in this case. +Since Linux 2.4 the set-user-ID and set-group-ID bits are +just silently ignored in this case. .\" The change is in patch-2.4.0-prerelease. .SH "SEE ALSO" .BR path_resolution (2), diff --git a/man2/prctl.2 b/man2/prctl.2 index 636381caa..41feedf6e 100644 --- a/man2/prctl.2 +++ b/man2/prctl.2 @@ -64,8 +64,8 @@ Set the state of the flag determining whether core dumps are produced for this process upon delivery of a signal whose default behaviour is to produce a core dump. (Normally this flag is set for a process by default, but it is cleared -when a set-UID or set-GID program is executed and also by various system -calls that manipulate process UIDs and GIDs). +when a set-user-ID or set-group-ID program is executed and also by +various system calls that manipulate process UIDs and GIDs). .I arg2 must be either 0 (process is not dumpable) or 1 (process is dumpable). .TP diff --git a/man2/ptrace.2 b/man2/ptrace.2 index 99cbca52f..169a7bfaf 100644 --- a/man2/ptrace.2 +++ b/man2/ptrace.2 @@ -248,8 +248,9 @@ The specified process cannot be traced. This could be because the parent has insufficient privileges (the required capability is .BR CAP_SYS_PTRACE ); non-root processes cannot trace processes that they -cannot send signals to or those running setuid/setgid programs, for obvious -reasons. Alternatively, the process may already be being traced, or be +cannot send signals to or those running set-user-ID/set-group-ID programs, +for obvious reasons. +Alternatively, the process may already be being traced, or be .BR init (pid 1). .TP diff --git a/man2/setgid.2 b/man2/setgid.2 index 0a19c9388..10a70df43 100644 --- a/man2/setgid.2 +++ b/man2/setgid.2 @@ -41,7 +41,8 @@ superuser, the real and saved group ID's are also set. Under Linux, .B setgid is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. -This allows a setgid program that is not suid root to drop all of its group +This allows a set-group-ID program that is not set-user-ID-root root +to drop all of its group privileges, do some un-privileged work, and then re-engage the original effective group ID in a secure manner. .SH "RETURN VALUE" diff --git a/man2/setuid.2 b/man2/setuid.2 index e7266b1fe..2e066fa95 100644 --- a/man2/setuid.2 +++ b/man2/setuid.2 @@ -43,11 +43,11 @@ the real and saved user ID's are also set. Under Linux, .B setuid is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. -This allows a setuid (other than root) program to drop all of its user +This allows a set-user-ID (other than root) program to drop all of its user privileges, do some un-privileged work, and then re-engage the original effective user ID in a secure manner. .PP -If the user is root or the program is setuid root, special care must be +If the user is root or the program is set-user-ID-root, special care must be taken. The .B setuid function checks the effective user ID of the caller and if it is @@ -56,7 +56,7 @@ the superuser, all process related user ID's are set to After this has occurred, it is impossible for the program to regain root privileges. .PP -Thus, a setuid-root program wishing to temporarily drop root +Thus, a set-user-ID-root program wishing to temporarily drop root privileges, assume the identity of a non-root user, and then regain root privileges afterwards cannot use .BR setuid . diff --git a/man2/statvfs.2 b/man2/statvfs.2 index bd0c16eee..bcaeef231 100644 --- a/man2/statvfs.2 +++ b/man2/statvfs.2 @@ -80,7 +80,7 @@ Bits defined by POSIX are Read-only file system. .TP .B ST_NOSUID -Setuid/setgid bits are ignored by +Set-user-ID/set-group-ID bits are ignored by .BR exec (2). .LP diff --git a/man2/truncate.2 b/man2/truncate.2 index 6abdaa84b..cd30ce64f 100644 --- a/man2/truncate.2 +++ b/man2/truncate.2 @@ -69,7 +69,8 @@ the extended part reads as zero bytes. The file pointer is not changed. .LP If the size changed, then the ctime and mtime fields for the file -are updated, and suid and sgid mode bits may be cleared. +are updated, +and set-user-ID and set-group-ID permission bits may be cleared. .LP With .BR ftruncate , diff --git a/man3/dlopen.3 b/man3/dlopen.3 index 09f1c1f86..722ee00f9 100644 --- a/man3/dlopen.3 +++ b/man3/dlopen.3 @@ -88,8 +88,8 @@ If the environment variable .BR LD_LIBRARY_PATH is defined to contain a colon-separated list of directories, then these are searched. -(As a security measure this variable is ignored for set-UID and -set-GID programs.) +(As a security measure this variable is ignored for set-user-ID and +set-group-ID programs.) .IP o (ELF only) If the executable file for the calling program contains a DT_RUNPATH tag, then the directories listed in that tag diff --git a/man3/getlogin.3 b/man3/getlogin.3 index 83d06da4a..385b97765 100644 --- a/man3/getlogin.3 +++ b/man3/getlogin.3 @@ -64,7 +64,7 @@ declared in \fBstdio.h\fP. .PP These functions let your program identify positively the user who is running (\fBcuserid\fP) or the user who logged in this session -(\fBgetlogin\fP). (These can differ when setuid programs are +(\fBgetlogin\fP). (These can differ when set-user-ID programs are involved.) .PP For most purposes, it is more useful to use the environment variable diff --git a/man3/grantpt.3 b/man3/grantpt.3 index 0362659bf..fc81c2a74 100644 --- a/man3/grantpt.3 +++ b/man3/grantpt.3 @@ -50,7 +50,7 @@ POSIX 1003.1-2001 .SH NOTES This is part of the Unix98 pty support, see .BR pts (4). -Many systems implement this function via a setuid helper binary +Many systems implement this function via a set-user-ID helper binary called "pt_chown". With Linux devpts no such helper binary is required. .SH "SEE ALSO" .BR open (2), diff --git a/man3/system.3 b/man3/system.3 index 4996413ee..d1d0d886e 100644 --- a/man3/system.3 +++ b/man3/system.3 @@ -103,7 +103,7 @@ to check the exit status of the child. E.g. .PP Do not use .BR system () -from a program with set-UID or set-GID privileges, +from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity. Use the @@ -113,8 +113,8 @@ family of functions instead, but not or .BR execvp (3). .BR system () -will not, in fact, work properly from programs with set-UID or set-GID -privileges on systems on which +will not, in fact, work properly from programs with set-user-ID or +set-group-ID privileges on systems on which .I /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as diff --git a/man3/tempnam.3 b/man3/tempnam.3 index b200cf324..fefb4d76e 100644 --- a/man3/tempnam.3 +++ b/man3/tempnam.3 @@ -67,7 +67,7 @@ Allocation of storage failed. .LP .SH NOTES SUSv2 does not mention the use of TMPDIR; glibc will use it only -when the program is not suid. +when the program is not set-user-ID. SVID2 specifies that the directory used under (iv) is .IR /tmp . SVID2 specifies that the string returned by diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 7ab9f21de..16887e6a6 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -272,7 +272,7 @@ the capabilities that the process may assume (i.e., a limiting superset for the effective and inheritable sets). If a process drops a capability from its permitted set, it can never re-acquire that capability (unless it execs a -set-UID-root program). +set-user-ID-root program). .TP .IR inheritable : the capabilities preserved across an @@ -281,7 +281,7 @@ the capabilities preserved across an In the current implementation, a process is granted all permitted and effective capabilities (subject to the operation of the capability bounding set described below) -when it execs a set-UID-root program, +when it execs a set-user-ID-root program, or if a process with a real UID of zero execs a new program. .PP A child created via @@ -360,12 +360,12 @@ support file capability sets, during an exec: .IP 1. 4 All three file capability sets are initially assumed to be cleared. .IP 2. 4 -If a set-UID-root program is being execed, +If a set-user-ID-root program is being execed, or the real user ID of the process is 0 (root) then the file allowed and forced sets are defined to be all ones (i.e., all capabilities set). .IP 3. 4 -If a set-UID-root program is being executed, +If a set-user-ID-root program is being executed, then the file effective set is defined to be all ones. .PP During an exec, the kernel calculates the new capabilities of diff --git a/man7/pthreads.7 b/man7/pthreads.7 index 895edc9d3..e37afd8e5 100644 --- a/man7/pthreads.7 +++ b/man7/pthreads.7 @@ -191,7 +191,7 @@ However, the resulting process has the same PID as the thread that called it should have the same PID as the main thread. .IP \- 3 Threads do not share user and group IDs. -This can cause complications with set-UID programs and +This can cause complications with set-user-ID programs and can cause failures in Pthreads functions if an application changes its credentials using .BR seteuid (2) diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 1e9a7dc46..c4aafe35a 100644 --- a/man8/ld.so.8 +++ b/man8/ld.so.8 @@ -39,8 +39,8 @@ Use of DT_RPATH is deprecated. .IP o Using the environment variable .BR LD_LIBRARY_PATH . -Except if the executable is a setuid/setgid binary, in which case it -is ignored. +Except if the executable is a set-user-ID/set-group-ID binary, +in which case it is ignored. .IP o (ELF only) Using the DT_RUNPATH dynamic section attribute of the binary if present. @@ -103,8 +103,9 @@ environment variable. A whitespace-separated list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to selectively override functions in other shared libraries. -For setuid/setgid ELF binaries, only libraries in the standard search -directories that are also setuid will be loaded. +For set-user-ID/set-group-ID ELF binaries, +only libraries in the standard search +directories that are also set-user-ID will be loaded. .TP .B LD_BIND_NOW (libc5; glibc since 2.1.1) @@ -152,7 +153,7 @@ environment variable. File where .B LD_DEBUG output should be fed into, default is standard output. -LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries. +LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries. .TP .B LD_VERBOSE (glibc since 2.1) @@ -174,7 +175,7 @@ Shared object to be profiled. File where .B LD_PROFILE output should be stored, default is standard output. -LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries. +LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries. .TP .B LD_AOUT_LIBRARY_PATH (libc5) @@ -196,7 +197,7 @@ Mask for hardware capabilities. .TP .B LD_ORIGIN_PATH (glibc since 2.1) -Path where the binary is found (for non-setuid programs). +Path where the binary is found (for non-set-user-ID programs). .TP .B LD_DYNAMIC_WEAK (glibc since 2.1.91)