1.\" 2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice(s), this list of conditions and the following disclaimer as 9.\" the first lines of this file unmodified other than the possible 10.\" addition of one or more copyright notices. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice(s), this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY 16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18.\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY 19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 25.\" DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd June 19, 2009 30.Dt UCRED 9 31.Os 32.Sh NAME 33.Nm ucred , 34.Nm crget , 35.Nm crhold , 36.Nm crfree , 37.Nm crshared , 38.Nm crcopy , 39.Nm crdup , 40.Nm cru2x , 41.Nm cred_update_thread 42.Nd "functions related to user credentials" 43.Sh SYNOPSIS 44.In sys/param.h 45.In sys/ucred.h 46.Ft "struct ucred *" 47.Fn crget void 48.Ft "struct ucred *" 49.Fn crhold "struct ucred *cr" 50.Ft void 51.Fn crfree "struct ucred *cr" 52.Ft int 53.Fn crshared "struct ucred *cr" 54.Ft void 55.Fn crcopy "struct ucred *dest" "struct ucred *src" 56.Ft "struct ucred *" 57.Fn crcopysafe "struct proc *p" "struct ucred *cr" 58.Ft "struct ucred *" 59.Fn crdup "struct ucred *cr" 60.Ft void 61.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups" 62.Ft void 63.Fn cru2x "struct ucred *cr" "struct xucred *xcr" 64.Ft void 65.Fn cred_update_thread "struct thread *td" 66.Sh DESCRIPTION 67The 68.Nm 69family of functions is used to manage user credential structures 70.Pq Vt "struct ucred" 71within the kernel. 72.Pp 73The 74.Fn crget 75function allocates memory 76for a new structure, sets its reference count to 1, and 77initializes its lock. 78.Pp 79The 80.Fn crhold 81function increases the reference count on the credential. 82.Pp 83The 84.Fn crfree 85function decreases the reference count on the credential. 86If the count drops to 0, the storage for the structure is freed. 87.Pp 88The 89.Fn crshared 90function returns true if the credential is shared. 91A credential is considered to be shared if its reference 92count is greater than one. 93.Pp 94The 95.Fn crcopy 96function copies the contents of the source (template) 97credential into the destination template. 98The 99.Vt uidinfo 100structure within the destination is referenced 101by calling 102.Xr uihold 9 . 103.Pp 104The 105.Fn crcopysafe 106function copies the current credential associated with the process 107.Fa p 108into the newly allocated credential 109.Fa cr . 110The process lock on 111.Fa p 112must be held and will be dropped and reacquired as needed to allocate 113group storage space in 114.Fa cr . 115.Pp 116The 117.Fn crdup 118function allocates memory for a new structure and copies the 119contents of 120.Fa cr 121into it. 122The actual copying is performed by 123.Fn crcopy . 124.Pp 125The 126.Fn crsetgroups 127function sets the 128.Va cr_groups 129and 130.Va cr_ngroups 131variables and allocates space as needed. 132It also truncates the group list to the current maximum number of 133groups. 134No other mechanism should be used to modify the 135.Va cr_groups 136array except for updating the primary group via assignment to 137.Va cr_groups[0] . 138.Pp 139The 140.Fn cru2x 141function converts a 142.Vt ucred 143structure to an 144.Vt xucred 145structure. 146That is, 147it copies data from 148.Fa cr 149to 150.Fa xcr ; 151it ignores fields in the former that are not present in the latter 152(e.g., 153.Va cr_uidinfo ) , 154and appropriately sets fields in the latter that are not present in 155the former 156(e.g., 157.Va cr_version ) . 158.Pp 159The 160.Fn cred_update_thread 161function sets the credentials of 162.Fa td 163to that of its process, freeing its old credential if required. 164.Sh RETURN VALUES 165.Fn crget , 166.Fn crhold , 167.Fn crdup , 168and 169.Fn crcopysafe 170all return a pointer to a 171.Vt ucred 172structure. 173.Pp 174.Fn crshared 175returns 0 if the credential has a reference count greater than 1; 176otherwise, 1 is returned. 177.Sh USAGE NOTES 178As of 179.Fx 5.0 , 180the 181.Vt ucred 182structure contains extensible fields. 183This means that the correct protocol must always be followed to create 184a fresh and writable credential structure: new credentials must always 185be derived from existing credentials using 186.Fn crget , 187.Fn crcopy , 188and 189.Fn crcopysafe . 190.Pp 191In the common case, credentials required for access control decisions are 192used in a read-only manner. 193In these circumstances, the thread credential 194.Va td_ucred 195should be used, as it requires no locking to access safely, and remains stable 196for the duration of the call even in the face of a multi-threaded 197application changing the process credentials from another thread. 198.Pp 199During a process credential update, the process lock must be held across 200check and update, to prevent race conditions. 201The process credential, 202.Va td->td_proc->p_ucred , 203must be used both for check and update. 204If a process credential is updated during a system call and checks against 205the thread credential are to be made later during the same system call, 206the thread credential must also be refreshed from the process credential 207so as to prevent use of a stale value. 208To avoid this scenario, it is recommended that system calls updating the 209process credential be designed to avoid other authorization functions. 210.Pp 211If temporarily elevated privileges are required for a thread, the thread 212credential can by replaced for the duration of an activity, or for 213the remainder of the system call. 214However, as a thread credential is often shared, appropriate care should be 215taken to make sure modifications are made to a writable credential 216through the use of 217.Fn crget 218and 219.Fn crcopy . 220.Pp 221Caution should be exercised when checking authorization for a thread or 222process perform an operation on another thread or process. 223As a result of temporary elevation, the target thread credential should 224.Em never 225be used as the target credential in an access control decision: the process 226credential associated with the thread, 227.Va td->td_proc->p_ucred , 228should be used instead. 229For example, 230.Xr p_candebug 9 231accepts a target process, not a target thread, for access control purposes. 232.Sh SEE ALSO 233.Xr uihold 9 234.Sh AUTHORS 235This manual page was written by 236.An Chad David Aq davidc@acns.ab.ca . 237