xref: /freebsd/share/man/man9/ucred.9 (revision db70ff37a051dfa19f6f3f0f0c5e3571aba91982)
1.\"
2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice(s), this list of conditions and the following disclaimer as
9.\"    the first lines of this file unmodified other than the possible
10.\"    addition of one or more copyright notices.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice(s), this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18.\" DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
25.\" DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd September 27, 2017
30.Dt UCRED 9
31.Os
32.Sh NAME
33.Nm ucred ,
34.Nm crget ,
35.Nm crhold ,
36.Nm crfree ,
37.Nm crcopy ,
38.Nm crdup ,
39.Nm cru2x ,
40.Nm cred_update_thread
41.Nd "functions related to user credentials"
42.Sh SYNOPSIS
43.In sys/param.h
44.In sys/ucred.h
45.Ft "struct ucred *"
46.Fn crget void
47.Ft "struct ucred *"
48.Fn crhold "struct ucred *cr"
49.Ft void
50.Fn crfree "struct ucred *cr"
51.Ft void
52.Fn crcopy "struct ucred *dest" "struct ucred *src"
53.Ft "struct ucred *"
54.Fn crcopysafe "struct proc *p" "struct ucred *cr"
55.Ft "struct ucred *"
56.Fn crdup "struct ucred *cr"
57.Ft void
58.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups"
59.Ft void
60.Fn cru2x "struct ucred *cr" "struct xucred *xcr"
61.Ft void
62.Fn cred_update_thread "struct thread *td"
63.Sh DESCRIPTION
64The
65.Nm
66family of functions is used to manage user credential structures
67.Pq Vt "struct ucred"
68within the kernel.
69.Pp
70The
71.Fn crget
72function allocates memory
73for a new structure, sets its reference count to 1, and
74initializes its lock.
75.Pp
76The
77.Fn crhold
78function increases the reference count on the credential.
79.Pp
80The
81.Fn crfree
82function decreases the reference count on the credential.
83If the count drops to 0, the storage for the structure is freed.
84.Pp
85The
86.Fn crcopy
87function copies the contents of the source (template)
88credential into the destination template.
89The
90.Vt uidinfo
91structure within the destination is referenced
92by calling
93.Xr uihold 9 .
94.Pp
95The
96.Fn crcopysafe
97function copies the current credential associated with the process
98.Fa p
99into the newly allocated credential
100.Fa cr .
101The process lock on
102.Fa p
103must be held and will be dropped and reacquired as needed to allocate
104group storage space in
105.Fa cr .
106.Pp
107The
108.Fn crdup
109function allocates memory for a new structure and copies the
110contents of
111.Fa cr
112into it.
113The actual copying is performed by
114.Fn crcopy .
115.Pp
116The
117.Fn crsetgroups
118function sets the
119.Va cr_groups
120and
121.Va cr_ngroups
122variables and allocates space as needed.
123It also truncates the group list to the current maximum number of
124groups.
125No other mechanism should be used to modify the
126.Va cr_groups
127array except for updating the primary group via assignment to
128.Va cr_groups[0] .
129.Pp
130The
131.Fn cru2x
132function converts a
133.Vt ucred
134structure to an
135.Vt xucred
136structure.
137That is,
138it copies data from
139.Fa cr
140to
141.Fa xcr ;
142it ignores fields in the former that are not present in the latter
143(e.g.,
144.Va cr_uidinfo ) ,
145and appropriately sets fields in the latter that are not present in
146the former
147(e.g.,
148.Va cr_version ) .
149.Pp
150The
151.Fn cred_update_thread
152function sets the credentials of
153.Fa td
154to that of its process, freeing its old credential if required.
155.Sh RETURN VALUES
156.Fn crget ,
157.Fn crhold ,
158.Fn crdup ,
159and
160.Fn crcopysafe
161all return a pointer to a
162.Vt ucred
163structure.
164.Sh USAGE NOTES
165As of
166.Fx 5.0 ,
167the
168.Vt ucred
169structure contains extensible fields.
170This means that the correct protocol must always be followed to create
171a fresh and writable credential structure: new credentials must always
172be derived from existing credentials using
173.Fn crget ,
174.Fn crcopy ,
175and
176.Fn crcopysafe .
177.Pp
178In the common case, credentials required for access control decisions are
179used in a read-only manner.
180In these circumstances, the thread credential
181.Va td_ucred
182should be used, as it requires no locking to access safely, and remains stable
183for the duration of the call even in the face of a multi-threaded
184application changing the process credentials from another thread.
185.Pp
186During a process credential update, the process lock must be held across
187check and update, to prevent race conditions.
188The process credential,
189.Va td->td_proc->p_ucred ,
190must be used both for check and update.
191If a process credential is updated during a system call and checks against
192the thread credential are to be made later during the same system call,
193the thread credential must also be refreshed from the process credential
194so as to prevent use of a stale value.
195To avoid this scenario, it is recommended that system calls updating the
196process credential be designed to avoid other authorization functions.
197.Pp
198If temporarily elevated privileges are required for a thread, the thread
199credential can by replaced for the duration of an activity, or for
200the remainder of the system call.
201However, as a thread credential is often shared, appropriate care should be
202taken to make sure modifications are made to a writable credential
203through the use of
204.Fn crget
205and
206.Fn crcopy .
207.Pp
208Caution should be exercised when checking authorization for a thread or
209process perform an operation on another thread or process.
210As a result of temporary elevation, the target thread credential should
211.Em never
212be used as the target credential in an access control decision: the process
213credential associated with the thread,
214.Va td->td_proc->p_ucred ,
215should be used instead.
216For example,
217.Xr p_candebug 9
218accepts a target process, not a target thread, for access control purposes.
219.Sh SEE ALSO
220.Xr uihold 9
221.Sh AUTHORS
222This manual page was written by
223.An Chad David Aq Mt davidc@acns.ab.ca .
224