]>
Commit | Line | Data |
---|---|---|
fea681da | 1 | .\" Copyright (C) 1995, Thomas K. Dyas <tdyas@eden.rutgers.edu> |
5d3b92e5 | 2 | .\" and Copyright (C) 2013, 2019, Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da | 3 | .\" |
93015253 | 4 | .\" %%%LICENSE_START(VERBATIM) |
fea681da MK |
5 | .\" Permission is granted to make and distribute verbatim copies of this |
6 | .\" manual provided the copyright notice and this permission notice are | |
7 | .\" preserved on all copies. | |
8 | .\" | |
9 | .\" Permission is granted to copy and distribute modified versions of this | |
10 | .\" manual under the conditions for verbatim copying, provided that the | |
11 | .\" entire resulting derived work is distributed under the terms of a | |
12 | .\" permission notice identical to this one. | |
c13182ef | 13 | .\" |
fea681da MK |
14 | .\" Since the Linux kernel and libraries are constantly changing, this |
15 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
16 | .\" responsibility for errors or omissions, or for damages resulting from | |
17 | .\" the use of the information contained herein. The author(s) may not | |
18 | .\" have taken the same level of care in the production of this manual, | |
19 | .\" which is licensed free of charge, as they might when working | |
20 | .\" professionally. | |
c13182ef | 21 | .\" |
fea681da MK |
22 | .\" Formatted or processed versions of this manual, if unaccompanied by |
23 | .\" the source, must acknowledge the copyright and authors of this work. | |
4b72fb64 | 24 | .\" %%%LICENSE_END |
fea681da MK |
25 | .\" |
26 | .\" Created 1995-08-06 Thomas K. Dyas <tdyas@eden.rutgers.edu> | |
27 | .\" Modified 2000-07-01 aeb | |
28 | .\" Modified 2002-07-23 aeb | |
c11b1abf | 29 | .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da MK |
30 | .\" Added notes on capability requirements |
31 | .\" | |
2e3023c4 | 32 | .TH SETFSUID 2 2019-05-09 "Linux" "Linux Programmer's Manual" |
fea681da | 33 | .SH NAME |
9ee4a2b6 | 34 | setfsuid \- set user identity used for filesystem checks |
fea681da | 35 | .SH SYNOPSIS |
68f2e81e | 36 | .B #include <sys/fsuid.h> |
68e4db0a | 37 | .PP |
fea681da MK |
38 | .BI "int setfsuid(uid_t " fsuid ); |
39 | .SH DESCRIPTION | |
5d3b92e5 MK |
40 | On Linux, a process has both a filesystem user ID and an effective user ID. |
41 | The (Linux-specific) filesystem user ID is used | |
42 | for permissions checking when accessing filesystem objects, | |
43 | while the effective user ID is used for various other kinds | |
44 | of permissions checks (see | |
45 | .BR credentials (7)). | |
46 | .PP | |
47 | Normally, the value of the process's filesystem user ID | |
48 | is the same as the value of its effective user ID. | |
49 | This is so, because whenever a process's effective user ID is changed, | |
50 | the kernel also changes the filesystem user ID to be the same as | |
51 | the new value of the effective user ID. | |
52 | A process can cause the value of its filesystem user ID to diverge | |
53 | from its effective user ID by using | |
e511ffb6 | 54 | .BR setfsuid () |
5d3b92e5 MK |
55 | to change its filesystem user ID to the value given in |
56 | .IR fsuid . | |
efeece04 | 57 | .PP |
fea681da | 58 | Explicit calls to |
e511ffb6 | 59 | .BR setfsuid () |
fea681da | 60 | and |
0bfa087b | 61 | .BR setfsgid (2) |
5d3b92e5 | 62 | are (were) usually used only by programs such as the Linux NFS server that |
fea681da MK |
63 | need to change what user and group ID is used for file access without a |
64 | corresponding change in the real and effective user and group IDs. | |
65 | A change in the normal user IDs for a program such as the NFS server | |
5d3b92e5 MK |
66 | is (was) a security hole that can expose it to unwanted signals. |
67 | (However, this issue is historical; see below.) | |
efeece04 | 68 | .PP |
e511ffb6 | 69 | .BR setfsuid () |
33a0ccb2 | 70 | will succeed only if the caller is the superuser or if |
fea681da | 71 | .I fsuid |
2ec26c2b MK |
72 | matches either the caller's real user ID, effective user ID, |
73 | saved set-user-ID, or current filesystem user ID. | |
47297adb | 74 | .SH RETURN VALUE |
06e43089 MK |
75 | On both success and failure, |
76 | this call returns the previous filesystem user ID of the caller. | |
a3680fde MK |
77 | .SH VERSIONS |
78 | This system call is present in Linux since version 1.2. | |
79 | .\" This system call is present since Linux 1.1.44 | |
80 | .\" and in libc since libc 4.7.6. | |
47297adb | 81 | .SH CONFORMING TO |
e511ffb6 | 82 | .BR setfsuid () |
8382f16d | 83 | is Linux-specific and should not be used in programs intended |
97c1eac8 | 84 | to be portable. |
fea681da | 85 | .SH NOTES |
18cc6597 MK |
86 | At the time when this system call was introduced, one process |
87 | could send a signal to another process with the same effective user ID. | |
86f1f045 | 88 | This meant that if a privileged process changed its effective user ID |
18cc6597 MK |
89 | for the purpose of file permission checking, |
90 | then it could become vulnerable to receiving signals | |
91 | sent by another (unprivileged) process with the same user ID. | |
92 | The filesystem user ID attribute was thus added to allow a process to | |
93 | change its user ID for the purposes of file permission checking without | |
94 | at the same time becoming vulnerable to receiving unwanted signals. | |
95 | Since Linux 2.0, signal permission handling is different (see | |
11256884 | 96 | .BR kill (2)), |
4727b7b0 | 97 | with the result that a process can change its effective user ID |
18cc6597 MK |
98 | without being vulnerable to receiving signals from unwanted processes. |
99 | Thus, | |
100 | .BR setfsuid () | |
101 | is nowadays unneeded and should be avoided in new applications | |
102 | (likewise for | |
103 | .BR setfsgid (2)). | |
efeece04 | 104 | .PP |
ae67a2cd MK |
105 | The original Linux |
106 | .BR setfsuid () | |
107 | system call supported only 16-bit user IDs. | |
c5662d5d | 108 | Subsequently, Linux 2.4 added |
ae67a2cd MK |
109 | .BR setfsuid32 () |
110 | supporting 32-bit IDs. | |
111 | The glibc | |
112 | .BR setfsuid () | |
113 | wrapper function transparently deals with the variation across kernel versions. | |
dc439d82 | 114 | .SS C library/kernel differences |
659cc17f MK |
115 | In glibc 2.15 and earlier, |
116 | when the wrapper for this system call determines that the argument can't be | |
dc439d82 MK |
117 | passed to the kernel without integer truncation (because the kernel |
118 | is old and does not support 32-bit user IDs), | |
3cc069d5 | 119 | it will return \-1 and set \fIerrno\fP to |
dc439d82 MK |
120 | .B EINVAL |
121 | without attempting | |
122 | the system call. | |
2dd578fd | 123 | .SH BUGS |
06e43089 MK |
124 | No error indications of any kind are returned to the caller, |
125 | and the fact that both successful and unsuccessful calls return | |
126 | the same value makes it impossible to directly determine | |
127 | whether the call succeeded or failed. | |
128 | Instead, the caller must resort to looking at the return value | |
129 | from a further call such as | |
130 | .IR setfsuid(\-1) | |
131 | (which will always fail), in order to determine if a preceding call to | |
132 | .BR setfsuid () | |
133 | changed the filesystem user ID. | |
2dd578fd MK |
134 | At the very |
135 | least, | |
136 | .B EPERM | |
137 | should be returned when the call fails (because the caller lacks the | |
138 | .B CAP_SETUID | |
139 | capability). | |
47297adb | 140 | .SH SEE ALSO |
fea681da MK |
141 | .BR kill (2), |
142 | .BR setfsgid (2), | |
53a1443c MK |
143 | .BR capabilities (7), |
144 | .BR credentials (7) |