xref: /freebsd/lib/libsys/setcred.2 (revision 05427f4639bcf2703329a9be9d25ec09bb782742)
1.\"
2.\" SPDX-License-Identifier: BSD-2-Clause
3.\"
4.\" Copyright © 2024 The FreeBSD Foundation
5.\"
6.\" This documentation was written by Olivier Certner <olce.freebsd@certner.fr>
7.\" at Kumacom SARL under sponsorship from the FreeBSD Foundation.
8.\"
9.Dd December 19, 2024
10.Dt SETCRED 2
11.Os
12.Sh NAME
13.Nm setcred
14.Nd set current process credentials atomically
15.Sh LIBRARY
16.Lb libc
17.Sh SYNOPSIS
18.In sys/ucred.h
19.Ft int
20.Fn setcred "u_int flags" "const struct setcred *wcred" "size_t size"
21.Sh DESCRIPTION
22The
23.Fn setcred
24system call can set any combination of user-accessible credentials of the
25current process in an atomic manner.
26.Pp
27This system call is normally permitted only for processes having the ID of the
28super-user (0) as their effective user ID, or not at all if the
29.Xr sysctl 8
30variable
31.Va security.bsd.suser_enabled
32is zero or some active MAC policy specifically denies these processes.
33.Pp
34Some MAC policies, such as
35.Xr mac_do 4 ,
36may also allow unprivileged users to call it successfully, possibly depending on
37the exact credentials transition requested, once again unless any active MAC
38policy specifically denies that.
39.Pp
40The
41.Fa flags
42argument serves to indicate which process credentials should be changed by the
43call.
44Allowed flags are:
45.Pp
46.Bl -tag -width "SETCREDF_SUPP_GROUPS   " -compact
47.It Fa SETCREDF_UID
48Set the effective user ID.
49.It Fa SETCREDF_RUID
50Set the real user ID.
51.It Fa SETCREDF_SVUID
52Set the saved user ID.
53.It Fa SETCREDF_GID
54Set the effective group ID.
55.It Fa SETCREDF_RGID
56Set the real group ID.
57.It Fa SETCREDF_SVGID
58Set the saved group ID.
59.It Fa SETCREDF_SUPP_GROUPS
60Set the supplementary group list.
61.It Fa SETCREDF_MAC_LABEL
62Set the MAC label.
63.El
64.Pp
65The
66.Vt struct setcred
67structure is currently defined as:
68.Bd -literal
69struct setcred {
70	uid_t	 sc_uid;		/* effective user id */
71	uid_t	 sc_ruid;		/* real user id */
72	uid_t	 sc_svuid;		/* saved user id */
73	gid_t	 sc_gid;		/* effective group id */
74	gid_t	 sc_rgid;		/* real group id */
75	gid_t	 sc_svgid;		/* saved group id */
76	u_int	 sc_pad;		/* padding, unused */
77	u_int	 sc_supp_groups_nb;	/* supplementary groups number */
78	gid_t	*sc_supp_groups;	/* supplementary groups */
79	struct mac *sc_label;		/* MAC label */
80};
81.Ed
82.Pp
83Its fields are:
84.Pp
85.Bl -tag -width "sc_supp_groups_nb   " -compact
86.It Fa sc_uid
87The ID to set the effective user to, if flag
88.Dv SETCREDF_UID
89is specified.
90.It Fa sc_ruid
91The ID to set the real user to, if flag
92.Dv SETCREDF_RUID
93is specified.
94.It Fa sc_svuid
95The ID to set the saved user to, if flag
96.Dv SETCREDF_SVUID
97is specified.
98.It Fa sc_gid
99The ID to set the effective group to, if flag
100.Dv SETCREDF_GID
101is specified.
102.It Fa sc_rgid
103The ID to set the real group to, if flag
104.Dv SETCREDF_RGID
105is specified.
106.It Fa sc_svgid
107The ID to set the saved group to, if flag
108.Dv SETCREDF_SVGID
109is specified.
110.It Fa sc_supp_groups_nb
111The size of array
112.Fa sc_supp_groups ,
113if flag
114.Dv SETCREDF_SUPP_GROUPS
115is specified.
116It must be less than or equal to
117.Dv {NGROUPS_MAX} .
118.It Fa sc_supp_groups
119An array of IDs to set the supplementary groups to, if flag
120.Dv SETCREDF_SUPP_GROUPS
121is specified.
122Note that all groups in this array will be set as supplementary groups only, in
123contrast to
124.Xr setgroups 2
125which treats the first element specially as the new effective group, not adding
126it to supplementary groups.
127.It Fa sc_label
128A pointer to a valid MAC label structure, e.g., built with the
129.Xr mac_from_text 3
130function, if flag
131.Dv SETCREDF_MAC_LABEL
132is specified.
133.El
134.Pp
135For forward compatibility and security reasons, it is recommended that users
136always initialize objects of type
137.Vt struct setcred
138with the provided initializer:
139.Dv SETCRED_INITIALIZER .
140.Pp
141The
142.Fa size
143argument must be the size of the passed
144.Fa wcred
145structure.
146.Sh RETURN VALUES
147.Rv -std
148.Sh ERRORS
149The
150.Fn setcred
151system call will fail if:
152.Bl -tag -width Er
153.It Bq Er EINVAL
154Unrecognized flags were passed in
155.Fa flags ,
156or the
157.Fa size
158parameter does not match the size of
159.Vt struct setcred ,
160or the field
161.Fa sc_supp_group_nb
162has a value strictly greater than
163.Dv {NGROUPS_MAX}
164.Po if flag
165.Dv SETCREDF_SUPP_GROUPS
166was supplied
167.Pc ,
168or the MAC label pointed to by field
169.Fa sc_label
170is invalid
171.Po if flag
172.Dv SETCREDF_MAC_LABEL
173was supplied
174.Pc .
175.It Bq Er EFAULT
176The
177.Fa wcred
178pointer, or pointers in fields
179.Fa sc_supp_groups
180.Po if flag
181.Dv SETCREDF_SUPP_GROUPS
182was supplied
183.Pc
184or
185.Fa sc_label
186.Po if flag
187.Dv SETCREDF_MAC_LABEL
188was supplied
189.Pc
190point to invalid locations.
191.It Bq Er EPERM
192The user is not the super-user and/or the requested credentials transition is
193not allowed by the system or MAC modules.
194.It Bq Er EOPNOTSUPP
195Some of the requested credentials have a type that the system does not support.
196This currently can occur only if the kernel has been compiled without MAC and
197.Dv SETCREDF_MAC_LABEL
198has been passed.
199.El
200.Sh SEE ALSO
201.Xr issetugid 2 ,
202.Xr setregid 2 ,
203.Xr setreuid 2 ,
204.Xr setuid 2 ,
205.Xr mac_text 3 ,
206.Xr mac 4 ,
207.Xr mac_do 4 ,
208.Xr maclabel 7
209.Sh STANDARDS
210The
211.Fn setcred
212system call is specific to
213.Fx .
214.Pp
215A call to
216.Fn setcred
217usually changes process credentials that are listed by POSIX/SUS standards.
218The changed values then produce the effects with respect to the rest of the
219system that are described in these standards, as if these changes had resulted
220from calling standard or traditional credentials-setting functions.
221Currently, all flags but
222.Dv SETCREDF_MAC_LABEL
223lead to modifying standard credentials.
224.Pp
225The only differences in using
226.Fn setcred
227to change standard credentials instead of standard or traditional functions are:
228.Pp
229.Bl -bullet -compact
230.It
231All requested changes are performed atomically.
232.It
233Only the super-user or an unprivileged user authorized by some MAC module can
234successfully call
235.Fn setcred ,
236even if the standard system calls would have authorized any unprivileged user to
237effect the same changes.
238For example,
239.Fn seteuid
240allows any unprivileged user to change the effective user ID to either the real
241or saved ones, while
242.Fn setcred
243called with flag
244.Dv SETCREDF_UID
245does not.
246.El
247.Sh HISTORY
248The
249.Fn setcred
250system call appeared in
251.Fx 15.0 .
252.Pp
253Traditionally in UNIX, all credential changes beyond shuffles of effective, real
254and saved IDs have been done by setuid binaries that successively call multiple
255credentials-setting system calls and in a specific order.
256For example, to change all user IDs to that of some unprivileged user,
257.Fn setuid
258must be called last so that all other credentials-changing calls can be
259performed successfully beforehand, as they require super-user privileges.
260.Pp
261This piecewise approach causes such a process to transiently hold high privilege
262credentials that are neither the original nor necessarily the desired final
263ones.
264Besides opening a transition window where possible vulnerabilities could have
265catastrophic consequences, it makes it impossible for the kernel to enforce that
266only certain transitions of credentials are allowed.
267.Pp
268The necessity of an atomic, global approach to changing credentials clearly
269appeared while working on extending
270.Xr mac_do 4
271to allow rules to authorize only specific changes of primary or supplementary
272groups, which prompted the addition of
273.Fn setcred .
274.Sh AUTHORS
275The
276.Fn setcred
277system call and this manual page were written by
278.An Olivier Certner Aq Mt olce.freebsd@certner.fr .
279.Sh SECURITY CONSIDERATIONS
280The same considerations as those of standard or traditional credentials-setting
281system calls apply to
282.Fn setcred ,
283except for the lack of atomicity of successive such calls.
284.Pp
285In particular, please consult section
286.Sy SECURITY CONSIDERATIONS
287of the
288.Xr setuid 2
289manual page about the absence of effect of changing standard credentials on
290already open files.
291