1.\" 2.\" SPDX-License-Identifier: BSD-2-Clause 3.\" 4.\" Copyright © 2024 The FreeBSD Foundation 5.\" 6.\" This documentation was written by Olivier Certner <olce.freebsd@certner.fr> 7.\" at Kumacom SARL under sponsorship from the FreeBSD Foundation. 8.\" 9.Dd December 19, 2024 10.Dt SETCRED 2 11.Os 12.Sh NAME 13.Nm setcred 14.Nd set current process credentials atomically 15.Sh LIBRARY 16.Lb libc 17.Sh SYNOPSIS 18.In sys/ucred.h 19.Ft int 20.Fn setcred "u_int flags" "const struct setcred *wcred" "size_t size" 21.Sh DESCRIPTION 22The 23.Fn setcred 24system call can set any combination of user-accessible credentials of the 25current process in an atomic manner. 26.Pp 27This system call is normally permitted only for processes having the ID of the 28super-user (0) as their effective user ID, or not at all if the 29.Xr sysctl 8 30variable 31.Va security.bsd.suser_enabled 32is zero or some active MAC policy specifically denies these processes. 33.Pp 34Some MAC policies, such as 35.Xr mac_do 4 , 36may also allow unprivileged users to call it successfully, possibly depending on 37the exact credentials transition requested, once again unless any active MAC 38policy specifically denies that. 39.Pp 40The 41.Fa flags 42argument serves to indicate which process credentials should be changed by the 43call. 44Allowed flags are: 45.Pp 46.Bl -tag -width "SETCREDF_SUPP_GROUPS " -compact 47.It Fa SETCREDF_UID 48Set the effective user ID. 49.It Fa SETCREDF_RUID 50Set the real user ID. 51.It Fa SETCREDF_SVUID 52Set the saved user ID. 53.It Fa SETCREDF_GID 54Set the effective group ID. 55.It Fa SETCREDF_RGID 56Set the real group ID. 57.It Fa SETCREDF_SVGID 58Set the saved group ID. 59.It Fa SETCREDF_SUPP_GROUPS 60Set the supplementary group list. 61.It Fa SETCREDF_MAC_LABEL 62Set the MAC label. 63.El 64.Pp 65The 66.Vt struct setcred 67structure is currently defined as: 68.Bd -literal 69struct setcred { 70 uid_t sc_uid; /* effective user id */ 71 uid_t sc_ruid; /* real user id */ 72 uid_t sc_svuid; /* saved user id */ 73 gid_t sc_gid; /* effective group id */ 74 gid_t sc_rgid; /* real group id */ 75 gid_t sc_svgid; /* saved group id */ 76 u_int sc_pad; /* padding, unused */ 77 u_int sc_supp_groups_nb; /* supplementary groups number */ 78 gid_t *sc_supp_groups; /* supplementary groups */ 79 struct mac *sc_label; /* MAC label */ 80}; 81.Ed 82.Pp 83Its fields are: 84.Pp 85.Bl -tag -width "sc_supp_groups_nb " -compact 86.It Fa sc_uid 87The ID to set the effective user to, if flag 88.Dv SETCREDF_UID 89is specified. 90.It Fa sc_ruid 91The ID to set the real user to, if flag 92.Dv SETCREDF_RUID 93is specified. 94.It Fa sc_svuid 95The ID to set the saved user to, if flag 96.Dv SETCREDF_SVUID 97is specified. 98.It Fa sc_gid 99The ID to set the effective group to, if flag 100.Dv SETCREDF_GID 101is specified. 102.It Fa sc_rgid 103The ID to set the real group to, if flag 104.Dv SETCREDF_RGID 105is specified. 106.It Fa sc_svgid 107The ID to set the saved group to, if flag 108.Dv SETCREDF_SVGID 109is specified. 110.It Fa sc_supp_groups_nb 111The size of array 112.Fa sc_supp_groups , 113if flag 114.Dv SETCREDF_SUPP_GROUPS 115is specified. 116It must be less than or equal to 117.Dv {NGROUPS_MAX} . 118.It Fa sc_supp_groups 119An array of IDs to set the supplementary groups to, if flag 120.Dv SETCREDF_SUPP_GROUPS 121is specified. 122Note that all groups in this array will be set as supplementary groups only, in 123contrast to 124.Xr setgroups 2 125which treats the first element specially as the new effective group, not adding 126it to supplementary groups. 127.It Fa sc_label 128A pointer to a valid MAC label structure, e.g., built with the 129.Xr mac_from_text 3 130function, if flag 131.Dv SETCREDF_MAC_LABEL 132is specified. 133.El 134.Pp 135For forward compatibility and security reasons, it is recommended that users 136always initialize objects of type 137.Vt struct setcred 138with the provided initializer: 139.Dv SETCRED_INITIALIZER . 140.Pp 141The 142.Fa size 143argument must be the size of the passed 144.Fa wcred 145structure. 146.Sh RETURN VALUES 147.Rv -std 148.Sh ERRORS 149The 150.Fn setcred 151system call will fail if: 152.Bl -tag -width Er 153.It Bq Er EINVAL 154Unrecognized flags were passed in 155.Fa flags , 156or the 157.Fa size 158parameter does not match the size of 159.Vt struct setcred , 160or the field 161.Fa sc_supp_group_nb 162has a value strictly greater than 163.Dv {NGROUPS_MAX} 164.Po if flag 165.Dv SETCREDF_SUPP_GROUPS 166was supplied 167.Pc , 168or the MAC label pointed to by field 169.Fa sc_label 170is invalid 171.Po if flag 172.Dv SETCREDF_MAC_LABEL 173was supplied 174.Pc . 175.It Bq Er EFAULT 176The 177.Fa wcred 178pointer, or pointers in fields 179.Fa sc_supp_groups 180.Po if flag 181.Dv SETCREDF_SUPP_GROUPS 182was supplied 183.Pc 184or 185.Fa sc_label 186.Po if flag 187.Dv SETCREDF_MAC_LABEL 188was supplied 189.Pc 190point to invalid locations. 191.It Bq Er EPERM 192The user is not the super-user and/or the requested credentials transition is 193not allowed by the system or MAC modules. 194.It Bq Er EOPNOTSUPP 195Some of the requested credentials have a type that the system does not support. 196This currently can occur only if the kernel has been compiled without MAC and 197.Dv SETCREDF_MAC_LABEL 198has been passed. 199.El 200.Sh SEE ALSO 201.Xr issetugid 2 , 202.Xr setregid 2 , 203.Xr setreuid 2 , 204.Xr setuid 2 , 205.Xr mac_text 3 , 206.Xr mac 4 , 207.Xr mac_do 4 , 208.Xr maclabel 7 209.Sh STANDARDS 210The 211.Fn setcred 212system call is specific to 213.Fx . 214.Pp 215A call to 216.Fn setcred 217usually changes process credentials that are listed by POSIX/SUS standards. 218The changed values then produce the effects with respect to the rest of the 219system that are described in these standards, as if these changes had resulted 220from calling standard or traditional credentials-setting functions. 221Currently, all flags but 222.Dv SETCREDF_MAC_LABEL 223lead to modifying standard credentials. 224.Pp 225The only differences in using 226.Fn setcred 227to change standard credentials instead of standard or traditional functions are: 228.Pp 229.Bl -bullet -compact 230.It 231All requested changes are performed atomically. 232.It 233Only the super-user or an unprivileged user authorized by some MAC module can 234successfully call 235.Fn setcred , 236even if the standard system calls would have authorized any unprivileged user to 237effect the same changes. 238For example, 239.Fn seteuid 240allows any unprivileged user to change the effective user ID to either the real 241or saved ones, while 242.Fn setcred 243called with flag 244.Dv SETCREDF_UID 245does not. 246.El 247.Sh HISTORY 248The 249.Fn setcred 250system call appeared in 251.Fx 15.0 . 252.Pp 253Traditionally in UNIX, all credential changes beyond shuffles of effective, real 254and saved IDs have been done by setuid binaries that successively call multiple 255credentials-setting system calls and in a specific order. 256For example, to change all user IDs to that of some unprivileged user, 257.Fn setuid 258must be called last so that all other credentials-changing calls can be 259performed successfully beforehand, as they require super-user privileges. 260.Pp 261This piecewise approach causes such a process to transiently hold high privilege 262credentials that are neither the original nor necessarily the desired final 263ones. 264Besides opening a transition window where possible vulnerabilities could have 265catastrophic consequences, it makes it impossible for the kernel to enforce that 266only certain transitions of credentials are allowed. 267.Pp 268The necessity of an atomic, global approach to changing credentials clearly 269appeared while working on extending 270.Xr mac_do 4 271to allow rules to authorize only specific changes of primary or supplementary 272groups, which prompted the addition of 273.Fn setcred . 274.Sh AUTHORS 275The 276.Fn setcred 277system call and this manual page were written by 278.An Olivier Certner Aq Mt olce.freebsd@certner.fr . 279.Sh SECURITY CONSIDERATIONS 280The same considerations as those of standard or traditional credentials-setting 281system calls apply to 282.Fn setcred , 283except for the lack of atomicity of successive such calls. 284.Pp 285In particular, please consult section 286.Sy SECURITY CONSIDERATIONS 287of the 288.Xr setuid 2 289manual page about the absence of effect of changing standard credentials on 290already open files. 291