14772483cSRuslan Ermilov.\" 24772483cSRuslan Ermilov.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved. 34772483cSRuslan Ermilov.\" 44772483cSRuslan Ermilov.\" Redistribution and use in source and binary forms, with or without 54772483cSRuslan Ermilov.\" modification, are permitted provided that the following conditions 64772483cSRuslan Ermilov.\" are met: 74772483cSRuslan Ermilov.\" 1. Redistributions of source code must retain the above copyright 84772483cSRuslan Ermilov.\" notice(s), this list of conditions and the following disclaimer as 94772483cSRuslan Ermilov.\" the first lines of this file unmodified other than the possible 104772483cSRuslan Ermilov.\" addition of one or more copyright notices. 114772483cSRuslan Ermilov.\" 2. Redistributions in binary form must reproduce the above copyright 124772483cSRuslan Ermilov.\" notice(s), this list of conditions and the following disclaimer in the 134772483cSRuslan Ermilov.\" documentation and/or other materials provided with the distribution. 144772483cSRuslan Ermilov.\" 154772483cSRuslan Ermilov.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY 164772483cSRuslan Ermilov.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 174772483cSRuslan Ermilov.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 184772483cSRuslan Ermilov.\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY 194772483cSRuslan Ermilov.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 204772483cSRuslan Ermilov.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 214772483cSRuslan Ermilov.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 224772483cSRuslan Ermilov.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 234772483cSRuslan Ermilov.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 244772483cSRuslan Ermilov.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 254772483cSRuslan Ermilov.\" DAMAGE. 264772483cSRuslan Ermilov.\" 27dab03110SBrooks Davis.Dd January 23, 2019 284772483cSRuslan Ermilov.Dt UCRED 9 294772483cSRuslan Ermilov.Os 304772483cSRuslan Ermilov.Sh NAME 314772483cSRuslan Ermilov.Nm ucred , 324772483cSRuslan Ermilov.Nm crget , 334772483cSRuslan Ermilov.Nm crhold , 344772483cSRuslan Ermilov.Nm crfree , 354772483cSRuslan Ermilov.Nm crcopy , 360db0f192SDima Dorfman.Nm crdup , 37dab03110SBrooks Davis.Nm cru2x 384772483cSRuslan Ermilov.Nd "functions related to user credentials" 394772483cSRuslan Ermilov.Sh SYNOPSIS 404772483cSRuslan Ermilov.In sys/param.h 414772483cSRuslan Ermilov.In sys/ucred.h 424772483cSRuslan Ermilov.Ft "struct ucred *" 434772483cSRuslan Ermilov.Fn crget void 44f16b3c0dSChad David.Ft "struct ucred *" 454772483cSRuslan Ermilov.Fn crhold "struct ucred *cr" 464772483cSRuslan Ermilov.Ft void 474772483cSRuslan Ermilov.Fn crfree "struct ucred *cr" 4857813e7fSRuslan Ermilov.Ft void 4957813e7fSRuslan Ermilov.Fn crcopy "struct ucred *dest" "struct ucred *src" 504772483cSRuslan Ermilov.Ft "struct ucred *" 51e8477da2SBrooks Davis.Fn crcopysafe "struct proc *p" "struct ucred *cr" 52e8477da2SBrooks Davis.Ft "struct ucred *" 534772483cSRuslan Ermilov.Fn crdup "struct ucred *cr" 540db0f192SDima Dorfman.Ft void 55e8477da2SBrooks Davis.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups" 56e8477da2SBrooks Davis.Ft void 570db0f192SDima Dorfman.Fn cru2x "struct ucred *cr" "struct xucred *xcr" 584772483cSRuslan Ermilov.Sh DESCRIPTION 594772483cSRuslan ErmilovThe 604772483cSRuslan Ermilov.Nm 614772483cSRuslan Ermilovfamily of functions is used to manage user credential structures 624772483cSRuslan Ermilov.Pq Vt "struct ucred" 634772483cSRuslan Ermilovwithin the kernel. 644772483cSRuslan Ermilov.Pp 654772483cSRuslan ErmilovThe 664772483cSRuslan Ermilov.Fn crget 674772483cSRuslan Ermilovfunction allocates memory 684772483cSRuslan Ermilovfor a new structure, sets its reference count to 1, and 694772483cSRuslan Ermilovinitializes its lock. 704772483cSRuslan Ermilov.Pp 714772483cSRuslan ErmilovThe 724772483cSRuslan Ermilov.Fn crhold 734772483cSRuslan Ermilovfunction increases the reference count on the credential. 744772483cSRuslan Ermilov.Pp 754772483cSRuslan ErmilovThe 764772483cSRuslan Ermilov.Fn crfree 774772483cSRuslan Ermilovfunction decreases the reference count on the credential. 784772483cSRuslan ErmilovIf the count drops to 0, the storage for the structure is freed. 794772483cSRuslan Ermilov.Pp 804772483cSRuslan ErmilovThe 814772483cSRuslan Ermilov.Fn crcopy 8257813e7fSRuslan Ermilovfunction copies the contents of the source (template) 8357813e7fSRuslan Ermilovcredential into the destination template. 8457813e7fSRuslan ErmilovThe 8557813e7fSRuslan Ermilov.Vt uidinfo 8657813e7fSRuslan Ermilovstructure within the destination is referenced 8757813e7fSRuslan Ermilovby calling 8857813e7fSRuslan Ermilov.Xr uihold 9 . 894772483cSRuslan Ermilov.Pp 904772483cSRuslan ErmilovThe 91e8477da2SBrooks Davis.Fn crcopysafe 92e8477da2SBrooks Davisfunction copies the current credential associated with the process 93e8477da2SBrooks Davis.Fa p 94e8477da2SBrooks Davisinto the newly allocated credential 95e8477da2SBrooks Davis.Fa cr . 96e8477da2SBrooks DavisThe process lock on 97e8477da2SBrooks Davis.Fa p 98e8477da2SBrooks Davismust be held and will be dropped and reacquired as needed to allocate 99e8477da2SBrooks Davisgroup storage space in 100e8477da2SBrooks Davis.Fa cr . 101e8477da2SBrooks Davis.Pp 102e8477da2SBrooks DavisThe 1034772483cSRuslan Ermilov.Fn crdup 10457813e7fSRuslan Ermilovfunction allocates memory for a new structure and copies the 10557813e7fSRuslan Ermilovcontents of 10657813e7fSRuslan Ermilov.Fa cr 10757813e7fSRuslan Ermilovinto it. 10857813e7fSRuslan ErmilovThe actual copying is performed by 10957813e7fSRuslan Ermilov.Fn crcopy . 1100db0f192SDima Dorfman.Pp 1110db0f192SDima DorfmanThe 112e8477da2SBrooks Davis.Fn crsetgroups 113e8477da2SBrooks Davisfunction sets the 114e8477da2SBrooks Davis.Va cr_groups 115e8477da2SBrooks Davisand 116e8477da2SBrooks Davis.Va cr_ngroups 117e8477da2SBrooks Davisvariables and allocates space as needed. 118e8477da2SBrooks DavisIt also truncates the group list to the current maximum number of 119e8477da2SBrooks Davisgroups. 120e8477da2SBrooks DavisNo other mechanism should be used to modify the 121e8477da2SBrooks Davis.Va cr_groups 122e8477da2SBrooks Davisarray except for updating the primary group via assignment to 123e8477da2SBrooks Davis.Va cr_groups[0] . 124e8477da2SBrooks Davis.Pp 125e8477da2SBrooks DavisThe 1260db0f192SDima Dorfman.Fn cru2x 1270db0f192SDima Dorfmanfunction converts a 1280db0f192SDima Dorfman.Vt ucred 1290db0f192SDima Dorfmanstructure to an 1300db0f192SDima Dorfman.Vt xucred 1310db0f192SDima Dorfmanstructure. 1320db0f192SDima DorfmanThat is, 1330db0f192SDima Dorfmanit copies data from 1340db0f192SDima Dorfman.Fa cr 1350db0f192SDima Dorfmanto 1360db0f192SDima Dorfman.Fa xcr ; 1370db0f192SDima Dorfmanit ignores fields in the former that are not present in the latter 1380db0f192SDima Dorfman(e.g., 1390db0f192SDima Dorfman.Va cr_uidinfo ) , 1400db0f192SDima Dorfmanand appropriately sets fields in the latter that are not present in 1410db0f192SDima Dorfmanthe former 1420db0f192SDima Dorfman(e.g., 1430db0f192SDima Dorfman.Va cr_version ) . 1444772483cSRuslan Ermilov.Sh RETURN VALUES 145e2eca5feSChad David.Fn crget , 146e8477da2SBrooks Davis.Fn crhold , 147e8477da2SBrooks Davis.Fn crdup , 148e2eca5feSChad Davidand 149e8477da2SBrooks Davis.Fn crcopysafe 150e2eca5feSChad Davidall return a pointer to a 1514772483cSRuslan Ermilov.Vt ucred 1524772483cSRuslan Ermilovstructure. 153b388e223SJulian Elischer.Sh USAGE NOTES 154fd3083e0SRobert WatsonAs of 155fd3083e0SRobert Watson.Fx 5.0 , 156fd3083e0SRobert Watsonthe 157b388e223SJulian Elischer.Vt ucred 158fd3083e0SRobert Watsonstructure contains extensible fields. 159fd3083e0SRobert WatsonThis means that the correct protocol must always be followed to create 160fd3083e0SRobert Watsona fresh and writable credential structure: new credentials must always 161fd3083e0SRobert Watsonbe derived from existing credentials using 162e8477da2SBrooks Davis.Fn crget , 163e8477da2SBrooks Davis.Fn crcopy , 164fd3083e0SRobert Watsonand 165e8477da2SBrooks Davis.Fn crcopysafe . 166fd3083e0SRobert Watson.Pp 167fd3083e0SRobert WatsonIn the common case, credentials required for access control decisions are 168fd3083e0SRobert Watsonused in a read-only manner. 169fd3083e0SRobert WatsonIn these circumstances, the thread credential 170fd3083e0SRobert Watson.Va td_ucred 171fd3083e0SRobert Watsonshould be used, as it requires no locking to access safely, and remains stable 172fd3083e0SRobert Watsonfor the duration of the call even in the face of a multi-threaded 173fd3083e0SRobert Watsonapplication changing the process credentials from another thread. 174fd3083e0SRobert Watson.Pp 175fd3083e0SRobert WatsonDuring a process credential update, the process lock must be held across 176fd3083e0SRobert Watsoncheck and update, to prevent race conditions. 177fd3083e0SRobert WatsonThe process credential, 178fd3083e0SRobert Watson.Va td->td_proc->p_ucred , 179fd3083e0SRobert Watsonmust be used both for check and update. 180fd3083e0SRobert WatsonIf a process credential is updated during a system call and checks against 181fd3083e0SRobert Watsonthe thread credential are to be made later during the same system call, 182fd3083e0SRobert Watsonthe thread credential must also be refreshed from the process credential 183fd3083e0SRobert Watsonso as to prevent use of a stale value. 184fd3083e0SRobert WatsonTo avoid this scenario, it is recommended that system calls updating the 1856c8c6098SRuslan Ermilovprocess credential be designed to avoid other authorization functions. 186fd3083e0SRobert Watson.Pp 187fd3083e0SRobert WatsonIf temporarily elevated privileges are required for a thread, the thread 188*d4b0fa45SJohan Janssoncredential can be replaced for the duration of an activity, or for 189fd3083e0SRobert Watsonthe remainder of the system call. 190fd3083e0SRobert WatsonHowever, as a thread credential is often shared, appropriate care should be 191fd3083e0SRobert Watsontaken to make sure modifications are made to a writable credential 192fd3083e0SRobert Watsonthrough the use of 193fd3083e0SRobert Watson.Fn crget 194fd3083e0SRobert Watsonand 195fd3083e0SRobert Watson.Fn crcopy . 196fd3083e0SRobert Watson.Pp 197fd3083e0SRobert WatsonCaution should be exercised when checking authorization for a thread or 198fd3083e0SRobert Watsonprocess perform an operation on another thread or process. 199fd3083e0SRobert WatsonAs a result of temporary elevation, the target thread credential should 200fd3083e0SRobert Watson.Em never 201fd3083e0SRobert Watsonbe used as the target credential in an access control decision: the process 202fd3083e0SRobert Watsoncredential associated with the thread, 203fd3083e0SRobert Watson.Va td->td_proc->p_ucred , 204fd3083e0SRobert Watsonshould be used instead. 205fd3083e0SRobert WatsonFor example, 206fd3083e0SRobert Watson.Xr p_candebug 9 207fd3083e0SRobert Watsonaccepts a target process, not a target thread, for access control purposes. 2084772483cSRuslan Ermilov.Sh SEE ALSO 2094772483cSRuslan Ermilov.Xr uihold 9 2104772483cSRuslan Ermilov.Sh AUTHORS 211571dba6eSHiten PandyaThis manual page was written by 2128a7314fcSBaptiste Daroussin.An Chad David Aq Mt davidc@acns.ab.ca . 213