xref: /freebsd/share/man/man9/ucred.9 (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1.\"
2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice(s), this list of conditions and the following disclaimer as
9.\"    the first lines of this file unmodified other than the possible
10.\"    addition of one or more copyright notices.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice(s), this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18.\" DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
25.\" DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd January 23, 2019
30.Dt UCRED 9
31.Os
32.Sh NAME
33.Nm ucred ,
34.Nm crget ,
35.Nm crhold ,
36.Nm crfree ,
37.Nm crcopy ,
38.Nm crdup ,
39.Nm cru2x
40.Nd "functions related to user credentials"
41.Sh SYNOPSIS
42.In sys/param.h
43.In sys/ucred.h
44.Ft "struct ucred *"
45.Fn crget void
46.Ft "struct ucred *"
47.Fn crhold "struct ucred *cr"
48.Ft void
49.Fn crfree "struct ucred *cr"
50.Ft void
51.Fn crcopy "struct ucred *dest" "struct ucred *src"
52.Ft "struct ucred *"
53.Fn crcopysafe "struct proc *p" "struct ucred *cr"
54.Ft "struct ucred *"
55.Fn crdup "struct ucred *cr"
56.Ft void
57.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups"
58.Ft void
59.Fn cru2x "struct ucred *cr" "struct xucred *xcr"
60.Sh DESCRIPTION
61The
62.Nm
63family of functions is used to manage user credential structures
64.Pq Vt "struct ucred"
65within the kernel.
66.Pp
67The
68.Fn crget
69function allocates memory
70for a new structure, sets its reference count to 1, and
71initializes its lock.
72.Pp
73The
74.Fn crhold
75function increases the reference count on the credential.
76.Pp
77The
78.Fn crfree
79function decreases the reference count on the credential.
80If the count drops to 0, the storage for the structure is freed.
81.Pp
82The
83.Fn crcopy
84function copies the contents of the source (template)
85credential into the destination template.
86The
87.Vt uidinfo
88structure within the destination is referenced
89by calling
90.Xr uihold 9 .
91.Pp
92The
93.Fn crcopysafe
94function copies the current credential associated with the process
95.Fa p
96into the newly allocated credential
97.Fa cr .
98The process lock on
99.Fa p
100must be held and will be dropped and reacquired as needed to allocate
101group storage space in
102.Fa cr .
103.Pp
104The
105.Fn crdup
106function allocates memory for a new structure and copies the
107contents of
108.Fa cr
109into it.
110The actual copying is performed by
111.Fn crcopy .
112.Pp
113The
114.Fn crsetgroups
115function sets the
116.Va cr_groups
117and
118.Va cr_ngroups
119variables and allocates space as needed.
120It also truncates the group list to the current maximum number of
121groups.
122No other mechanism should be used to modify the
123.Va cr_groups
124array except for updating the primary group via assignment to
125.Va cr_groups[0] .
126.Pp
127The
128.Fn cru2x
129function converts a
130.Vt ucred
131structure to an
132.Vt xucred
133structure.
134That is,
135it copies data from
136.Fa cr
137to
138.Fa xcr ;
139it ignores fields in the former that are not present in the latter
140(e.g.,
141.Va cr_uidinfo ) ,
142and appropriately sets fields in the latter that are not present in
143the former
144(e.g.,
145.Va cr_version ) .
146.Pp
147.Sh RETURN VALUES
148.Fn crget ,
149.Fn crhold ,
150.Fn crdup ,
151and
152.Fn crcopysafe
153all return a pointer to a
154.Vt ucred
155structure.
156.Sh USAGE NOTES
157As of
158.Fx 5.0 ,
159the
160.Vt ucred
161structure contains extensible fields.
162This means that the correct protocol must always be followed to create
163a fresh and writable credential structure: new credentials must always
164be derived from existing credentials using
165.Fn crget ,
166.Fn crcopy ,
167and
168.Fn crcopysafe .
169.Pp
170In the common case, credentials required for access control decisions are
171used in a read-only manner.
172In these circumstances, the thread credential
173.Va td_ucred
174should be used, as it requires no locking to access safely, and remains stable
175for the duration of the call even in the face of a multi-threaded
176application changing the process credentials from another thread.
177.Pp
178During a process credential update, the process lock must be held across
179check and update, to prevent race conditions.
180The process credential,
181.Va td->td_proc->p_ucred ,
182must be used both for check and update.
183If a process credential is updated during a system call and checks against
184the thread credential are to be made later during the same system call,
185the thread credential must also be refreshed from the process credential
186so as to prevent use of a stale value.
187To avoid this scenario, it is recommended that system calls updating the
188process credential be designed to avoid other authorization functions.
189.Pp
190If temporarily elevated privileges are required for a thread, the thread
191credential can by replaced for the duration of an activity, or for
192the remainder of the system call.
193However, as a thread credential is often shared, appropriate care should be
194taken to make sure modifications are made to a writable credential
195through the use of
196.Fn crget
197and
198.Fn crcopy .
199.Pp
200Caution should be exercised when checking authorization for a thread or
201process perform an operation on another thread or process.
202As a result of temporary elevation, the target thread credential should
203.Em never
204be used as the target credential in an access control decision: the process
205credential associated with the thread,
206.Va td->td_proc->p_ucred ,
207should be used instead.
208For example,
209.Xr p_candebug 9
210accepts a target process, not a target thread, for access control purposes.
211.Sh SEE ALSO
212.Xr uihold 9
213.Sh AUTHORS
214This manual page was written by
215.An Chad David Aq Mt davidc@acns.ab.ca .
216