mirror of https://github.com/mkerrisk/man-pages
171 lines
5.3 KiB
Groff
171 lines
5.3 KiB
Groff
.\" Copyright (C), 1994, Graeme W. Wilford (Wilf).
|
|
.\" and Copyright (C) 2010, 2014, 2015, Michael Kerrisk <mtk.manpages@gmail.com>
|
|
.\"
|
|
.\" %%%LICENSE_START(VERBATIM)
|
|
.\" Permission is granted to make and distribute verbatim copies of this
|
|
.\" manual provided the copyright notice and this permission notice are
|
|
.\" preserved on all copies.
|
|
.\"
|
|
.\" Permission is granted to copy and distribute modified versions of this
|
|
.\" manual under the conditions for verbatim copying, provided that the
|
|
.\" entire resulting derived work is distributed under the terms of a
|
|
.\" permission notice identical to this one.
|
|
.\"
|
|
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
.\" manual page may be incorrect or out-of-date. The author(s) assume no
|
|
.\" responsibility for errors or omissions, or for damages resulting from
|
|
.\" the use of the information contained herein. The author(s) may not
|
|
.\" have taken the same level of care in the production of this manual,
|
|
.\" which is licensed free of charge, as they might when working
|
|
.\" professionally.
|
|
.\"
|
|
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
.\" the source, must acknowledge the copyright and authors of this work.
|
|
.\" %%%LICENSE_END
|
|
.\"
|
|
.\" Fri Jul 29th 12:56:44 BST 1994 Wilf. <G.Wilford@ee.surrey.ac.uk>
|
|
.\" Changes inspired by patch from Richard Kettlewell
|
|
.\" <richard@greenend.org.uk>, aeb 970616.
|
|
.\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com>
|
|
.\" Added notes on capability requirements
|
|
.TH SETUID 2 2021-03-22 "Linux" "Linux Programmer's Manual"
|
|
.SH NAME
|
|
setuid \- set user identity
|
|
.SH SYNOPSIS
|
|
.nf
|
|
.B #include <unistd.h>
|
|
.PP
|
|
.BI "int setuid(uid_t " uid );
|
|
.fi
|
|
.SH DESCRIPTION
|
|
.BR setuid ()
|
|
sets the effective user ID of the calling process.
|
|
If the calling process is privileged
|
|
(more precisely: if the process has the
|
|
.BR CAP_SETUID
|
|
capability in its user namespace),
|
|
the real UID and saved set-user-ID are also set.
|
|
.PP
|
|
Under Linux,
|
|
.BR setuid ()
|
|
is implemented like the POSIX version with the
|
|
.B _POSIX_SAVED_IDS
|
|
feature.
|
|
This allows a set-user-ID (other than root) program to drop all of its user
|
|
privileges, do some un-privileged work, and then reengage the original
|
|
effective user ID in a secure manner.
|
|
.PP
|
|
If the user is root or the program is set-user-ID-root, special care must be
|
|
taken:
|
|
.BR setuid ()
|
|
checks the effective user ID of the caller and if it is
|
|
the superuser, all process-related user ID's are set to
|
|
.IR uid .
|
|
After this has occurred, it is impossible for the program to regain root
|
|
privileges.
|
|
.PP
|
|
Thus, a set-user-ID-root program wishing to temporarily drop root
|
|
privileges, assume the identity of an unprivileged user, and then regain
|
|
root privileges afterward cannot use
|
|
.BR setuid ().
|
|
You can accomplish this with
|
|
.BR seteuid (2).
|
|
.SH RETURN VALUE
|
|
On success, zero is returned.
|
|
On error, \-1 is returned, and
|
|
.I errno
|
|
is set to indicate the error.
|
|
.PP
|
|
.IR Note :
|
|
there are cases where
|
|
.BR setuid ()
|
|
can fail even when the caller is UID 0;
|
|
it is a grave security error to omit checking for a failure return from
|
|
.BR setuid ().
|
|
.SH ERRORS
|
|
.TP
|
|
.B EAGAIN
|
|
The call would change the caller's real UID (i.e.,
|
|
.I uid
|
|
does not match the caller's real UID),
|
|
but there was a temporary failure allocating the
|
|
necessary kernel data structures.
|
|
.TP
|
|
.B EAGAIN
|
|
.I uid
|
|
does not match the real user ID of the caller and this call would
|
|
bring the number of processes belonging to the real user ID
|
|
.I uid
|
|
over the caller's
|
|
.B RLIMIT_NPROC
|
|
resource limit.
|
|
Since Linux 3.1, this error case no longer occurs
|
|
(but robust applications should check for this error);
|
|
see the description of
|
|
.B EAGAIN
|
|
in
|
|
.BR execve (2).
|
|
.TP
|
|
.B EINVAL
|
|
The user ID specified in
|
|
.I uid
|
|
is not valid in this user namespace.
|
|
.TP
|
|
.B EPERM
|
|
The user is not privileged (Linux: does not have the
|
|
.B CAP_SETUID
|
|
capability in its user namespace) and
|
|
.I uid
|
|
does not match the real UID or saved set-user-ID of the calling process.
|
|
.SH CONFORMING TO
|
|
POSIX.1-2001, POSIX.1-2008, SVr4.
|
|
Not quite compatible with the 4.4BSD call, which
|
|
sets all of the real, saved, and effective user IDs.
|
|
.\" SVr4 documents an additional EINVAL error condition.
|
|
.SH NOTES
|
|
Linux has the concept of the filesystem user ID, normally equal to the
|
|
effective user ID.
|
|
The
|
|
.BR setuid ()
|
|
call also sets the filesystem user ID of the calling process.
|
|
See
|
|
.BR setfsuid (2).
|
|
.PP
|
|
If
|
|
.I uid
|
|
is different from the old effective UID, the process will
|
|
be forbidden from leaving core dumps.
|
|
.PP
|
|
The original Linux
|
|
.BR setuid ()
|
|
system call supported only 16-bit user IDs.
|
|
Subsequently, Linux 2.4 added
|
|
.BR setuid32 ()
|
|
supporting 32-bit IDs.
|
|
The glibc
|
|
.BR setuid ()
|
|
wrapper function transparently deals with the variation across kernel versions.
|
|
.\"
|
|
.SS C library/kernel differences
|
|
At the kernel level, user IDs and group IDs are a per-thread attribute.
|
|
However, POSIX requires that all threads in a process
|
|
share the same credentials.
|
|
The NPTL threading implementation handles the POSIX requirements by
|
|
providing wrapper functions for
|
|
the various system calls that change process UIDs and GIDs.
|
|
These wrapper functions (including the one for
|
|
.BR setuid ())
|
|
employ a signal-based technique to ensure
|
|
that when one thread changes credentials,
|
|
all of the other threads in the process also change their credentials.
|
|
For details, see
|
|
.BR nptl (7).
|
|
.SH SEE ALSO
|
|
.BR getuid (2),
|
|
.BR seteuid (2),
|
|
.BR setfsuid (2),
|
|
.BR setreuid (2),
|
|
.BR capabilities (7),
|
|
.BR credentials (7),
|
|
.BR user_namespaces (7)
|