xref: /freebsd/share/man/man9/ucred.9 (revision 3642298923e528d795e3a30ec165d2b469e28b40)
1.\"
2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice(s), this list of conditions and the following disclaimer as
9.\"    the first lines of this file unmodified other than the possible
10.\"    addition of one or more copyright notices.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice(s), this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18.\" DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
25.\" DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd March 3, 2002
30.Dt UCRED 9
31.Os
32.Sh NAME
33.Nm ucred ,
34.Nm crget ,
35.Nm crhold ,
36.Nm crfree ,
37.Nm crshared ,
38.Nm crcopy ,
39.Nm crdup ,
40.Nm cru2x ,
41.Nm cred_update_thread
42.Nd "functions related to user credentials"
43.Sh SYNOPSIS
44.In sys/param.h
45.In sys/ucred.h
46.Ft "struct ucred *"
47.Fn crget void
48.Ft "struct ucred *"
49.Fn crhold "struct ucred *cr"
50.Ft void
51.Fn crfree "struct ucred *cr"
52.Ft int
53.Fn crshared "struct ucred *cr"
54.Ft void
55.Fn crcopy "struct ucred *dest" "struct ucred *src"
56.Ft "struct ucred *"
57.Fn crdup "struct ucred *cr"
58.Ft void
59.Fn cru2x "struct ucred *cr" "struct xucred *xcr"
60.Ft void
61.Fn cred_update_thread "struct thread *td"
62.Sh DESCRIPTION
63The
64.Nm
65family of functions is used to manage user credential structures
66.Pq Vt "struct ucred"
67within the kernel.
68.Pp
69The
70.Fn crget
71function allocates memory
72for a new structure, sets its reference count to 1, and
73initializes its lock.
74.Pp
75The
76.Fn crhold
77function increases the reference count on the credential.
78.Pp
79The
80.Fn crfree
81function decreases the reference count on the credential.
82If the count drops to 0, the storage for the structure is freed.
83.Pp
84The
85.Fn crshared
86function returns true if the credential is shared.
87A credential is considered to be shared if its reference
88count is greater than one.
89.Pp
90The
91.Fn crcopy
92function copies the contents of the source (template)
93credential into the destination template.
94The
95.Vt uidinfo
96structure within the destination is referenced
97by calling
98.Xr uihold 9 .
99.Pp
100The
101.Fn crdup
102function allocates memory for a new structure and copies the
103contents of
104.Fa cr
105into it.
106The actual copying is performed by
107.Fn crcopy .
108.Pp
109The
110.Fn cru2x
111function converts a
112.Vt ucred
113structure to an
114.Vt xucred
115structure.
116That is,
117it copies data from
118.Fa cr
119to
120.Fa xcr ;
121it ignores fields in the former that are not present in the latter
122(e.g.,
123.Va cr_uidinfo ) ,
124and appropriately sets fields in the latter that are not present in
125the former
126(e.g.,
127.Va cr_version ) .
128.Pp
129The
130.Fn cred_update_thread
131function sets the credentials of
132.Fa td
133to that of its process, freeing its old credential if required.
134.Sh RETURN VALUES
135.Fn crget ,
136.Fn crhold
137and
138.Fn crdup
139all return a pointer to a
140.Vt ucred
141structure.
142.Pp
143.Fn crshared
144returns 0 if the credential has a reference count greater than 1;
145otherwise, 1 is returned.
146.Sh USAGE NOTES
147As of
148.Fx 5.0 ,
149the
150.Vt ucred
151structure contains extensible fields.
152This means that the correct protocol must always be followed to create
153a fresh and writable credential structure: new credentials must always
154be derived from existing credentials using
155.Fn crget
156and
157.Fn crcopy .
158.Pp
159In the common case, credentials required for access control decisions are
160used in a read-only manner.
161In these circumstances, the thread credential
162.Va td_ucred
163should be used, as it requires no locking to access safely, and remains stable
164for the duration of the call even in the face of a multi-threaded
165application changing the process credentials from another thread.
166Primitives such as
167.Xr suser 9
168will assume the use of
169.Va td_ucred
170unless explicitly specified using
171.Xr suser_cred 9 .
172.Pp
173During a process credential update, the process lock must be held across
174check and update, to prevent race conditions.
175The process credential,
176.Va td->td_proc->p_ucred ,
177must be used both for check and update.
178If a process credential is updated during a system call and checks against
179the thread credential are to be made later during the same system call,
180the thread credential must also be refreshed from the process credential
181so as to prevent use of a stale value.
182To avoid this scenario, it is recommended that system calls updating the
183process credential be designed to avoid other authorization functions.
184.Pp
185If temporarily elevated privileges are required for a thread, the thread
186credential can by replaced for the duration of an activity, or for
187the remainder of the system call.
188However, as a thread credential is often shared, appropriate care should be
189taken to make sure modifications are made to a writable credential
190through the use of
191.Fn crget
192and
193.Fn crcopy .
194.Pp
195Caution should be exercised when checking authorization for a thread or
196process perform an operation on another thread or process.
197As a result of temporary elevation, the target thread credential should
198.Em never
199be used as the target credential in an access control decision: the process
200credential associated with the thread,
201.Va td->td_proc->p_ucred ,
202should be used instead.
203For example,
204.Xr p_candebug 9
205accepts a target process, not a target thread, for access control purposes.
206.Sh SEE ALSO
207.Xr uihold 9
208.Sh AUTHORS
209This manual page was written by
210.An Chad David Aq davidc@acns.ab.ca .
211