1.\" 2.\" SPDX-License-Identifier: BSD-2-Clause 3.\" 4.\" Copyright © 2024 The FreeBSD Foundation 5.\" 6.\" This documentation was written by Olivier Certner <olce.freebsd@certner.fr> 7.\" at Kumacom SARL under sponsorship from the FreeBSD Foundation. 8.\" 9.Dd August 29, 2025 10.Dt SETCRED 2 11.Os 12.Sh NAME 13.Nm setcred 14.Nd set current process credentials atomically 15.Sh LIBRARY 16.Lb libc 17.Sh SYNOPSIS 18.In sys/ucred.h 19.Ft int 20.Fn setcred "u_int flags" "const struct setcred *wcred" "size_t size" 21.Sh DESCRIPTION 22The 23.Fn setcred 24system call can set any combination of user-accessible credentials of the 25current process in an atomic manner. 26.Pp 27This system call is normally permitted only for processes having the ID of the 28super-user (0) as their effective user ID, or not at all if the 29.Xr sysctl 8 30variable 31.Va security.bsd.suser_enabled 32is zero or some active MAC policy specifically denies these processes. 33.Pp 34Some MAC policies, such as 35.Xr mac_do 4 , 36may also allow unprivileged users to call it successfully, possibly depending on 37the exact credentials transition requested, once again unless any active MAC 38policy specifically denies that. 39.Pp 40The 41.Fa flags 42argument serves to indicate which process credentials should be changed by the 43call. 44Allowed flags are: 45.Pp 46.Bl -tag -width "SETCREDF_SUPP_GROUPS " -compact 47.It Fa SETCREDF_UID 48Set the effective user ID. 49.It Fa SETCREDF_RUID 50Set the real user ID. 51.It Fa SETCREDF_SVUID 52Set the saved user ID. 53.It Fa SETCREDF_GID 54Set the effective group ID. 55.It Fa SETCREDF_RGID 56Set the real group ID. 57.It Fa SETCREDF_SVGID 58Set the saved group ID. 59.It Fa SETCREDF_SUPP_GROUPS 60Set the supplementary group list. 61.It Fa SETCREDF_MAC_LABEL 62Set the MAC label. 63.El 64.Pp 65The 66.Vt struct setcred 67structure is currently defined as: 68.Bd -literal 69struct setcred { 70 uid_t sc_uid; /* effective user id */ 71 uid_t sc_ruid; /* real user id */ 72 uid_t sc_svuid; /* saved user id */ 73 gid_t sc_gid; /* effective group id */ 74 gid_t sc_rgid; /* real group id */ 75 gid_t sc_svgid; /* saved group id */ 76 u_int sc_pad; /* padding, unused */ 77 u_int sc_supp_groups_nb; /* supplementary groups number */ 78 gid_t *sc_supp_groups; /* supplementary groups */ 79 struct mac *sc_label; /* MAC label */ 80}; 81.Ed 82.Pp 83Its fields are: 84.Pp 85.Bl -tag -width "sc_supp_groups_nb " -compact 86.It Fa sc_uid 87The ID to set the effective user to, if flag 88.Dv SETCREDF_UID 89is specified. 90.It Fa sc_ruid 91The ID to set the real user to, if flag 92.Dv SETCREDF_RUID 93is specified. 94.It Fa sc_svuid 95The ID to set the saved user to, if flag 96.Dv SETCREDF_SVUID 97is specified. 98.It Fa sc_gid 99The ID to set the effective group to, if flag 100.Dv SETCREDF_GID 101is specified. 102.It Fa sc_rgid 103The ID to set the real group to, if flag 104.Dv SETCREDF_RGID 105is specified. 106.It Fa sc_svgid 107The ID to set the saved group to, if flag 108.Dv SETCREDF_SVGID 109is specified. 110.It Fa sc_supp_groups_nb 111The size of array 112.Fa sc_supp_groups , 113if flag 114.Dv SETCREDF_SUPP_GROUPS 115is specified. 116It must be less than or equal to 117.Dv {NGROUPS_MAX} . 118.It Fa sc_supp_groups 119An array of IDs to set the supplementary groups to, if flag 120.Dv SETCREDF_SUPP_GROUPS 121is specified. 122.It Fa sc_label 123A pointer to a valid MAC label structure, e.g., built with the 124.Xr mac_from_text 3 125function, if flag 126.Dv SETCREDF_MAC_LABEL 127is specified. 128.El 129.Pp 130For forward compatibility and security reasons, it is recommended that users 131always initialize objects of type 132.Vt struct setcred 133with the provided initializer: 134.Dv SETCRED_INITIALIZER . 135.Pp 136The 137.Fa size 138argument must be the size of the passed 139.Fa wcred 140structure. 141.Sh RETURN VALUES 142.Rv -std 143.Sh ERRORS 144The 145.Fn setcred 146system call will fail if: 147.Bl -tag -width Er 148.It Bq Er EINVAL 149Unrecognized flags were passed in 150.Fa flags , 151or the 152.Fa size 153parameter does not match the size of 154.Vt struct setcred , 155or the field 156.Fa sc_supp_group_nb 157has a value strictly greater than 158.Dv {NGROUPS_MAX} 159.Po if flag 160.Dv SETCREDF_SUPP_GROUPS 161was supplied 162.Pc , 163or the MAC label pointed to by field 164.Fa sc_label 165is invalid 166.Po if flag 167.Dv SETCREDF_MAC_LABEL 168was supplied 169.Pc . 170.It Bq Er EFAULT 171The 172.Fa wcred 173pointer, or pointers in fields 174.Fa sc_supp_groups 175.Po if flag 176.Dv SETCREDF_SUPP_GROUPS 177was supplied 178.Pc 179or 180.Fa sc_label 181.Po if flag 182.Dv SETCREDF_MAC_LABEL 183was supplied 184.Pc 185point to invalid locations. 186.It Bq Er EPERM 187The user is not the super-user and/or the requested credentials transition is 188not allowed by the system or MAC modules. 189.It Bq Er EOPNOTSUPP 190Some of the requested credentials have a type that the system does not support. 191This currently can occur only if the kernel has been compiled without MAC and 192.Dv SETCREDF_MAC_LABEL 193has been passed. 194.El 195.Sh SEE ALSO 196.Xr issetugid 2 , 197.Xr setregid 2 , 198.Xr setreuid 2 , 199.Xr setuid 2 , 200.Xr mac_text 3 , 201.Xr mac 4 , 202.Xr mac_do 4 , 203.Xr maclabel 7 204.Sh STANDARDS 205The 206.Fn setcred 207system call is specific to 208.Fx . 209.Pp 210A call to 211.Fn setcred 212usually changes process credentials that are listed by POSIX/SUS standards. 213The changed values then produce the effects with respect to the rest of the 214system that are described in these standards, as if these changes had resulted 215from calling standard or traditional credentials-setting functions. 216Currently, all flags but 217.Dv SETCREDF_MAC_LABEL 218lead to modifying standard credentials. 219.Pp 220The only differences in using 221.Fn setcred 222to change standard credentials instead of standard or traditional functions are: 223.Pp 224.Bl -bullet -compact 225.It 226All requested changes are performed atomically. 227.It 228Only the super-user or an unprivileged user authorized by some MAC module can 229successfully call 230.Fn setcred , 231even if the standard system calls would have authorized any unprivileged user to 232effect the same changes. 233For example, 234.Fn seteuid 235allows any unprivileged user to change the effective user ID to either the real 236or saved ones, while 237.Fn setcred 238called with flag 239.Dv SETCREDF_UID 240does not. 241.El 242.Sh HISTORY 243The 244.Fn setcred 245system call appeared in 246.Fx 14.3 . 247.Pp 248Traditionally in UNIX, all credential changes beyond shuffles of effective, real 249and saved IDs have been done by setuid binaries that successively call multiple 250credentials-setting system calls and in a specific order. 251For example, to change all user IDs to that of some unprivileged user, 252.Fn setuid 253must be called last so that all other credentials-changing calls can be 254performed successfully beforehand, as they require super-user privileges. 255.Pp 256This piecewise approach causes such a process to transiently hold high privilege 257credentials that are neither the original nor necessarily the desired final 258ones. 259Besides opening a transition window where possible vulnerabilities could have 260catastrophic consequences, it makes it impossible for the kernel to enforce that 261only certain transitions of credentials are allowed. 262.Pp 263The necessity of an atomic, global approach to changing credentials clearly 264appeared while working on extending 265.Xr mac_do 4 266to allow rules to authorize only specific changes of primary or supplementary 267groups, which prompted the addition of 268.Fn setcred . 269.Sh AUTHORS 270The 271.Fn setcred 272system call and this manual page were written by 273.An Olivier Certner Aq Mt olce.freebsd@certner.fr . 274.Sh SECURITY CONSIDERATIONS 275The same considerations as those of standard or traditional credentials-setting 276system calls apply to 277.Fn setcred , 278except for the lack of atomicity of successive such calls. 279.Pp 280In particular, please consult section 281.Sy SECURITY CONSIDERATIONS 282of the 283.Xr setuid 2 284manual page about the absence of effect of changing standard credentials on 285already open files. 286