1.\" 2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice(s), this list of conditions and the following disclaimer as 9.\" the first lines of this file unmodified other than the possible 10.\" addition of one or more copyright notices. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice(s), this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY 16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18.\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY 19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 25.\" DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd March 3, 2002 30.Dt UCRED 9 31.Os 32.Sh NAME 33.Nm ucred , 34.Nm crget , 35.Nm crhold , 36.Nm crfree , 37.Nm crshared , 38.Nm crcopy , 39.Nm crdup , 40.Nm cru2x , 41.Nm cred_update_thread 42.Nd "functions related to user credentials" 43.Sh SYNOPSIS 44.In sys/param.h 45.In sys/ucred.h 46.Ft "struct ucred *" 47.Fn crget void 48.Ft "struct ucred *" 49.Fn crhold "struct ucred *cr" 50.Ft void 51.Fn crfree "struct ucred *cr" 52.Ft int 53.Fn crshared "struct ucred *cr" 54.Ft void 55.Fn crcopy "struct ucred *dest" "struct ucred *src" 56.Ft "struct ucred *" 57.Fn crdup "struct ucred *cr" 58.Ft void 59.Fn cru2x "struct ucred *cr" "struct xucred *xcr" 60.Ft void 61.Fn cred_update_thread "struct thread *td" 62.Sh DESCRIPTION 63The 64.Nm 65family of functions is used to manage user credential structures 66.Pq Vt "struct ucred" 67within the kernel. 68.Pp 69The 70.Fn crget 71function allocates memory 72for a new structure, sets its reference count to 1, and 73initializes its lock. 74.Pp 75The 76.Fn crhold 77function increases the reference count on the credential. 78.Pp 79The 80.Fn crfree 81function decreases the reference count on the credential. 82If the count drops to 0, the storage for the structure is freed. 83.Pp 84The 85.Fn crshared 86function returns true if the credential is shared. 87A credential is considered to be shared if its reference 88count is greater than one. 89.Pp 90The 91.Fn crcopy 92function copies the contents of the source (template) 93credential into the destination template. 94The 95.Vt uidinfo 96structure within the destination is referenced 97by calling 98.Xr uihold 9 . 99.Pp 100The 101.Fn crdup 102function allocates memory for a new structure and copies the 103contents of 104.Fa cr 105into it. 106The actual copying is performed by 107.Fn crcopy . 108.Pp 109The 110.Fn cru2x 111function converts a 112.Vt ucred 113structure to an 114.Vt xucred 115structure. 116That is, 117it copies data from 118.Fa cr 119to 120.Fa xcr ; 121it ignores fields in the former that are not present in the latter 122(e.g., 123.Va cr_uidinfo ) , 124and appropriately sets fields in the latter that are not present in 125the former 126(e.g., 127.Va cr_version ) . 128.Pp 129The 130.Fn cred_update_thread 131function sets the credentials of 132.Fa td 133to that of its process, freeing its old credential if required. 134.Sh RETURN VALUES 135.Fn crget , 136.Fn crhold 137and 138.Fn crdup 139all return a pointer to a 140.Vt ucred 141structure. 142.Pp 143.Fn crshared 144returns 0 if the credential has a reference count greater than 1; 145otherwise, 1 is returned. 146.Sh USAGE NOTES 147As of 148.Fx 5.0 , 149the 150.Vt ucred 151structure contains extensible fields. 152This means that the correct protocol must always be followed to create 153a fresh and writable credential structure: new credentials must always 154be derived from existing credentials using 155.Fn crget 156and 157.Fn crcopy . 158.Pp 159In the common case, credentials required for access control decisions are 160used in a read-only manner. 161In these circumstances, the thread credential 162.Va td_ucred 163should be used, as it requires no locking to access safely, and remains stable 164for the duration of the call even in the face of a multi-threaded 165application changing the process credentials from another thread. 166Primitives such as 167.Xr suser 9 168will assume the use of 169.Va td_ucred 170unless explicitly specified using 171.Xr suser_cred 9 . 172.Pp 173During a process credential update, the process lock must be held across 174check and update, to prevent race conditions. 175The process credential, 176.Va td->td_proc->p_ucred , 177must be used both for check and update. 178If a process credential is updated during a system call and checks against 179the thread credential are to be made later during the same system call, 180the thread credential must also be refreshed from the process credential 181so as to prevent use of a stale value. 182To avoid this scenario, it is recommended that system calls updating the 183process credential be designed to avoid other authorization functions. 184.Pp 185If temporarily elevated privileges are required for a thread, the thread 186credential can by replaced for the duration of an activity, or for 187the remainder of the system call. 188However, as a thread credential is often shared, appropriate care should be 189taken to make sure modifications are made to a writable credential 190through the use of 191.Fn crget 192and 193.Fn crcopy . 194.Pp 195Caution should be exercised when checking authorization for a thread or 196process perform an operation on another thread or process. 197As a result of temporary elevation, the target thread credential should 198.Em never 199be used as the target credential in an access control decision: the process 200credential associated with the thread, 201.Va td->td_proc->p_ucred , 202should be used instead. 203For example, 204.Xr p_candebug 9 205accepts a target process, not a target thread, for access control purposes. 206.Sh SEE ALSO 207.Xr uihold 9 208.Sh AUTHORS 209This manual page was written by 210.An Chad David Aq davidc@acns.ab.ca . 211