xref: /freebsd/share/man/man9/ucred.9 (revision cc16dea626cf2fc80cde667ac4798065108e596c)
1.\"
2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice(s), this list of conditions and the following disclaimer as
9.\"    the first lines of this file unmodified other than the possible
10.\"    addition of one or more copyright notices.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice(s), this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18.\" DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
25.\" DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd June 19, 2009
30.Dt UCRED 9
31.Os
32.Sh NAME
33.Nm ucred ,
34.Nm crget ,
35.Nm crhold ,
36.Nm crfree ,
37.Nm crshared ,
38.Nm crcopy ,
39.Nm crdup ,
40.Nm cru2x ,
41.Nm cred_update_thread
42.Nd "functions related to user credentials"
43.Sh SYNOPSIS
44.In sys/param.h
45.In sys/ucred.h
46.Ft "struct ucred *"
47.Fn crget void
48.Ft "struct ucred *"
49.Fn crhold "struct ucred *cr"
50.Ft void
51.Fn crfree "struct ucred *cr"
52.Ft int
53.Fn crshared "struct ucred *cr"
54.Ft void
55.Fn crcopy "struct ucred *dest" "struct ucred *src"
56.Ft "struct ucred *"
57.Fn crcopysafe "struct proc *p" "struct ucred *cr"
58.Ft "struct ucred *"
59.Fn crdup "struct ucred *cr"
60.Ft void
61.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups"
62.Ft void
63.Fn cru2x "struct ucred *cr" "struct xucred *xcr"
64.Ft void
65.Fn cred_update_thread "struct thread *td"
66.Sh DESCRIPTION
67The
68.Nm
69family of functions is used to manage user credential structures
70.Pq Vt "struct ucred"
71within the kernel.
72.Pp
73The
74.Fn crget
75function allocates memory
76for a new structure, sets its reference count to 1, and
77initializes its lock.
78.Pp
79The
80.Fn crhold
81function increases the reference count on the credential.
82.Pp
83The
84.Fn crfree
85function decreases the reference count on the credential.
86If the count drops to 0, the storage for the structure is freed.
87.Pp
88The
89.Fn crshared
90function returns true if the credential is shared.
91A credential is considered to be shared if its reference
92count is greater than one.
93.Pp
94The
95.Fn crcopy
96function copies the contents of the source (template)
97credential into the destination template.
98The
99.Vt uidinfo
100structure within the destination is referenced
101by calling
102.Xr uihold 9 .
103.Pp
104The
105.Fn crcopysafe
106function copies the current credential associated with the process
107.Fa p
108into the newly allocated credential
109.Fa cr .
110The process lock on
111.Fa p
112must be held and will be dropped and reacquired as needed to allocate
113group storage space in
114.Fa cr .
115.Pp
116The
117.Fn crdup
118function allocates memory for a new structure and copies the
119contents of
120.Fa cr
121into it.
122The actual copying is performed by
123.Fn crcopy .
124.Pp
125The
126.Fn crsetgroups
127function sets the
128.Va cr_groups
129and
130.Va cr_ngroups
131variables and allocates space as needed.
132It also truncates the group list to the current maximum number of
133groups.
134No other mechanism should be used to modify the
135.Va cr_groups
136array except for updating the primary group via assignment to
137.Va cr_groups[0] .
138.Pp
139The
140.Fn cru2x
141function converts a
142.Vt ucred
143structure to an
144.Vt xucred
145structure.
146That is,
147it copies data from
148.Fa cr
149to
150.Fa xcr ;
151it ignores fields in the former that are not present in the latter
152(e.g.,
153.Va cr_uidinfo ) ,
154and appropriately sets fields in the latter that are not present in
155the former
156(e.g.,
157.Va cr_version ) .
158.Pp
159The
160.Fn cred_update_thread
161function sets the credentials of
162.Fa td
163to that of its process, freeing its old credential if required.
164.Sh RETURN VALUES
165.Fn crget ,
166.Fn crhold ,
167.Fn crdup ,
168and
169.Fn crcopysafe
170all return a pointer to a
171.Vt ucred
172structure.
173.Pp
174.Fn crshared
175returns 0 if the credential has a reference count greater than 1;
176otherwise, 1 is returned.
177.Sh USAGE NOTES
178As of
179.Fx 5.0 ,
180the
181.Vt ucred
182structure contains extensible fields.
183This means that the correct protocol must always be followed to create
184a fresh and writable credential structure: new credentials must always
185be derived from existing credentials using
186.Fn crget ,
187.Fn crcopy ,
188and
189.Fn crcopysafe .
190.Pp
191In the common case, credentials required for access control decisions are
192used in a read-only manner.
193In these circumstances, the thread credential
194.Va td_ucred
195should be used, as it requires no locking to access safely, and remains stable
196for the duration of the call even in the face of a multi-threaded
197application changing the process credentials from another thread.
198.Pp
199During a process credential update, the process lock must be held across
200check and update, to prevent race conditions.
201The process credential,
202.Va td->td_proc->p_ucred ,
203must be used both for check and update.
204If a process credential is updated during a system call and checks against
205the thread credential are to be made later during the same system call,
206the thread credential must also be refreshed from the process credential
207so as to prevent use of a stale value.
208To avoid this scenario, it is recommended that system calls updating the
209process credential be designed to avoid other authorization functions.
210.Pp
211If temporarily elevated privileges are required for a thread, the thread
212credential can by replaced for the duration of an activity, or for
213the remainder of the system call.
214However, as a thread credential is often shared, appropriate care should be
215taken to make sure modifications are made to a writable credential
216through the use of
217.Fn crget
218and
219.Fn crcopy .
220.Pp
221Caution should be exercised when checking authorization for a thread or
222process perform an operation on another thread or process.
223As a result of temporary elevation, the target thread credential should
224.Em never
225be used as the target credential in an access control decision: the process
226credential associated with the thread,
227.Va td->td_proc->p_ucred ,
228should be used instead.
229For example,
230.Xr p_candebug 9
231accepts a target process, not a target thread, for access control purposes.
232.Sh SEE ALSO
233.Xr uihold 9
234.Sh AUTHORS
235This manual page was written by
236.An Chad David Aq davidc@acns.ab.ca .
237