projects / thirdparty / man-pages.git / blame
| Commit | Line | Data |
|---|---|---|
| fea681da | 1 | .\" Copyright (C), 1994, Graeme W. Wilford (Wilf). |
| 84cb494f | 2 | .\" and Copyright (C) 2010, 2014, 2015, Michael Kerrisk <mtk.manpages@gmail.com> |
| fea681da | 3 | .\" |
| 5fbde956 | 4 | .\" SPDX-License-Identifier: Linux-man-pages-copyleft |
| fea681da | 5 | .\" |
| c13182ef | 6 | .\" Fri Jul 29th 12:56:44 BST 1994 Wilf. <G.Wilford@ee.surrey.ac.uk> |
| fea681da MK |
7 | .\" Changes inspired by patch from Richard Kettlewell |
| 8 | .\" <richard@greenend.org.uk>, aeb 970616. | |
| c11b1abf | 9 | .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com> |
| fea681da | 10 | .\" Added notes on capability requirements |
| 1d767b55 | 11 | .TH SETUID 2 2021-03-22 "Linux" "Linux Programmer's Manual" |
| fea681da MK |
12 | .SH NAME |
| 13 | setuid \- set user identity | |
| d8c26a36 AC |
14 | .SH LIBRARY |
| 15 | Standard C library | |
| 8fc3b2cf | 16 | .RI ( libc ", " \-lc ) |
| fea681da | 17 | .SH SYNOPSIS |
| c7db92b9 | 18 | .nf |
| fea681da | 19 | .B #include <unistd.h> |
| 68e4db0a | 20 | .PP |
| fea681da | 21 | .BI "int setuid(uid_t " uid ); |
| c7db92b9 | 22 | .fi |
| fea681da | 23 | .SH DESCRIPTION |
| e511ffb6 | 24 | .BR setuid () |
| a1ffe9f5 | 25 | sets the effective user ID of the calling process. |
| c387fb9b | 26 | If the calling process is privileged |
| 7127bd53 | 27 | (more precisely: if the process has the |
| 1ae6b2c7 | 28 | .B CAP_SETUID |
| c387fb9b | 29 | capability in its user namespace), |
| d9df8ff8 | 30 | the real UID and saved set-user-ID are also set. |
| fea681da | 31 | .PP |
| c13182ef | 32 | Under Linux, |
| e511ffb6 | 33 | .BR setuid () |
| 8c4f34f8 MK |
34 | is implemented like the POSIX version with the |
| 35 | .B _POSIX_SAVED_IDS | |
| 36 | feature. | |
| 880f5b4b | 37 | This allows a set-user-ID (other than root) program to drop all of its user |
| 3b777aff | 38 | privileges, do some un-privileged work, and then reengage the original |
| fea681da MK |
39 | effective user ID in a secure manner. |
| 40 | .PP | |
| 880f5b4b | 41 | If the user is root or the program is set-user-ID-root, special care must be |
| defcd2c8 | 42 | taken: |
| e511ffb6 | 43 | .BR setuid () |
| defcd2c8 | 44 | checks the effective user ID of the caller and if it is |
| 28442c8f | 45 | the superuser, all process-related user ID's are set to |
| c13182ef | 46 | .IR uid . |
| fea681da MK |
47 | After this has occurred, it is impossible for the program to regain root |
| 48 | privileges. | |
| 49 | .PP | |
| 880f5b4b | 50 | Thus, a set-user-ID-root program wishing to temporarily drop root |
| 00b08db3 | 51 | privileges, assume the identity of an unprivileged user, and then regain |
| 5fab2e7c | 52 | root privileges afterward cannot use |
| e511ffb6 | 53 | .BR setuid (). |
| 821c0356 | 54 | You can accomplish this with |
| 0bfa087b | 55 | .BR seteuid (2). |
| 47297adb | 56 | .SH RETURN VALUE |
| c13182ef MK |
57 | On success, zero is returned. |
| 58 | On error, \-1 is returned, and | |
| fea681da | 59 | .I errno |
| f6a4078b | 60 | is set to indicate the error. |
| efeece04 | 61 | .PP |
| 7d8d165a MK |
62 | .IR Note : |
| 63 | there are cases where | |
| 64 | .BR setuid () | |
| 65 | can fail even when the caller is UID 0; | |
| 29d3bdc4 | 66 | it is a grave security error to omit checking for a failure return from |
| 7d8d165a | 67 | .BR setuid (). |
| fea681da MK |
68 | .SH ERRORS |
| 69 | .TP | |
| 70 | .B EAGAIN | |
| 25b2ea5f MK |
71 | The call would change the caller's real UID (i.e., |
| 72 | .I uid | |
| 73 | does not match the caller's real UID), | |
| 74 | but there was a temporary failure allocating the | |
| 75 | necessary kernel data structures. | |
| 76 | .TP | |
| 77 | .B EAGAIN | |
| fea681da | 78 | .I uid |
| 7a42bf02 MK |
79 | does not match the real user ID of the caller and this call would |
| 80 | bring the number of processes belonging to the real user ID | |
| fea681da | 81 | .I uid |
| 7a42bf02 | 82 | over the caller's |
| 0daa9e92 | 83 | .B RLIMIT_NPROC |
| 2f0af33b | 84 | resource limit. |
| c4fe0edf MK |
85 | Since Linux 3.1, this error case no longer occurs |
| 86 | (but robust applications should check for this error); | |
| 87 | see the description of | |
| 88 | .B EAGAIN | |
| 89 | in | |
| 90 | .BR execve (2). | |
| fea681da | 91 | .TP |
| 0076479c MK |
92 | .B EINVAL |
| 93 | The user ID specified in | |
| 94 | .I uid | |
| 95 | is not valid in this user namespace. | |
| 96 | .TP | |
| fea681da MK |
97 | .B EPERM |
| 98 | The user is not privileged (Linux: does not have the | |
| 99 | .B CAP_SETUID | |
| cd1c5b9d | 100 | capability in its user namespace) and |
| fea681da | 101 | .I uid |
| d9df8ff8 | 102 | does not match the real UID or saved set-user-ID of the calling process. |
| 47297adb | 103 | .SH CONFORMING TO |
| e06cd2b4 | 104 | POSIX.1-2001, POSIX.1-2008, SVr4. |
| 97c1eac8 | 105 | Not quite compatible with the 4.4BSD call, which |
| c13182ef | 106 | sets all of the real, saved, and effective user IDs. |
| 97c1eac8 | 107 | .\" SVr4 documents an additional EINVAL error condition. |
| 4fb31341 | 108 | .SH NOTES |
| 9ee4a2b6 | 109 | Linux has the concept of the filesystem user ID, normally equal to the |
| c13182ef MK |
110 | effective user ID. |
| 111 | The | |
| e511ffb6 | 112 | .BR setuid () |
| 9ee4a2b6 | 113 | call also sets the filesystem user ID of the calling process. |
| fea681da MK |
114 | See |
| 115 | .BR setfsuid (2). | |
| 116 | .PP | |
| 117 | If | |
| 118 | .I uid | |
| e6ce2419 | 119 | is different from the old effective UID, the process will |
| fea681da | 120 | be forbidden from leaving core dumps. |
| efeece04 | 121 | .PP |
| dd09a14e MK |
122 | The original Linux |
| 123 | .BR setuid () | |
| 124 | system call supported only 16-bit user IDs. | |
| c5662d5d | 125 | Subsequently, Linux 2.4 added |
| dd09a14e MK |
126 | .BR setuid32 () |
| 127 | supporting 32-bit IDs. | |
| 128 | The glibc | |
| 129 | .BR setuid () | |
| 130 | wrapper function transparently deals with the variation across kernel versions. | |
| 84cb494f | 131 | .\" |
| 0722a578 | 132 | .SS C library/kernel differences |
| 84cb494f MK |
133 | At the kernel level, user IDs and group IDs are a per-thread attribute. |
| 134 | However, POSIX requires that all threads in a process | |
| 135 | share the same credentials. | |
| 136 | The NPTL threading implementation handles the POSIX requirements by | |
| 137 | providing wrapper functions for | |
| 138 | the various system calls that change process UIDs and GIDs. | |
| 139 | These wrapper functions (including the one for | |
| 140 | .BR setuid ()) | |
| 141 | employ a signal-based technique to ensure | |
| 142 | that when one thread changes credentials, | |
| 143 | all of the other threads in the process also change their credentials. | |
| 144 | For details, see | |
| 145 | .BR nptl (7). | |
| 47297adb | 146 | .SH SEE ALSO |
| fea681da MK |
147 | .BR getuid (2), |
| 148 | .BR seteuid (2), | |
| 149 | .BR setfsuid (2), | |
| 150 | .BR setreuid (2), | |
| 53a1443c | 151 | .BR capabilities (7), |
| 0076479c | 152 | .BR credentials (7), |
| f58fb24f | 153 | .BR user_namespaces (7) |