]>
Commit | Line | Data |
---|---|---|
fea681da | 1 | .\" Copyright (C), 1994, Graeme W. Wilford (Wilf). |
84cb494f | 2 | .\" and Copyright (C) 2010, 2014, 2015, Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da | 3 | .\" |
5fbde956 | 4 | .\" SPDX-License-Identifier: Linux-man-pages-copyleft |
fea681da | 5 | .\" |
c13182ef | 6 | .\" Fri Jul 29th 12:56:44 BST 1994 Wilf. <G.Wilford@ee.surrey.ac.uk> |
fea681da MK |
7 | .\" Changes inspired by patch from Richard Kettlewell |
8 | .\" <richard@greenend.org.uk>, aeb 970616. | |
c11b1abf | 9 | .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da | 10 | .\" Added notes on capability requirements |
1d767b55 | 11 | .TH SETUID 2 2021-03-22 "Linux" "Linux Programmer's Manual" |
fea681da MK |
12 | .SH NAME |
13 | setuid \- set user identity | |
d8c26a36 AC |
14 | .SH LIBRARY |
15 | Standard C library | |
8fc3b2cf | 16 | .RI ( libc ", " \-lc ) |
fea681da | 17 | .SH SYNOPSIS |
c7db92b9 | 18 | .nf |
fea681da | 19 | .B #include <unistd.h> |
68e4db0a | 20 | .PP |
fea681da | 21 | .BI "int setuid(uid_t " uid ); |
c7db92b9 | 22 | .fi |
fea681da | 23 | .SH DESCRIPTION |
e511ffb6 | 24 | .BR setuid () |
a1ffe9f5 | 25 | sets the effective user ID of the calling process. |
c387fb9b | 26 | If the calling process is privileged |
7127bd53 | 27 | (more precisely: if the process has the |
1ae6b2c7 | 28 | .B CAP_SETUID |
c387fb9b | 29 | capability in its user namespace), |
d9df8ff8 | 30 | the real UID and saved set-user-ID are also set. |
fea681da | 31 | .PP |
c13182ef | 32 | Under Linux, |
e511ffb6 | 33 | .BR setuid () |
8c4f34f8 MK |
34 | is implemented like the POSIX version with the |
35 | .B _POSIX_SAVED_IDS | |
36 | feature. | |
880f5b4b | 37 | This allows a set-user-ID (other than root) program to drop all of its user |
3b777aff | 38 | privileges, do some un-privileged work, and then reengage the original |
fea681da MK |
39 | effective user ID in a secure manner. |
40 | .PP | |
880f5b4b | 41 | If the user is root or the program is set-user-ID-root, special care must be |
defcd2c8 | 42 | taken: |
e511ffb6 | 43 | .BR setuid () |
defcd2c8 | 44 | checks the effective user ID of the caller and if it is |
28442c8f | 45 | the superuser, all process-related user ID's are set to |
c13182ef | 46 | .IR uid . |
fea681da MK |
47 | After this has occurred, it is impossible for the program to regain root |
48 | privileges. | |
49 | .PP | |
880f5b4b | 50 | Thus, a set-user-ID-root program wishing to temporarily drop root |
00b08db3 | 51 | privileges, assume the identity of an unprivileged user, and then regain |
5fab2e7c | 52 | root privileges afterward cannot use |
e511ffb6 | 53 | .BR setuid (). |
821c0356 | 54 | You can accomplish this with |
0bfa087b | 55 | .BR seteuid (2). |
47297adb | 56 | .SH RETURN VALUE |
c13182ef MK |
57 | On success, zero is returned. |
58 | On error, \-1 is returned, and | |
fea681da | 59 | .I errno |
f6a4078b | 60 | is set to indicate the error. |
efeece04 | 61 | .PP |
7d8d165a MK |
62 | .IR Note : |
63 | there are cases where | |
64 | .BR setuid () | |
65 | can fail even when the caller is UID 0; | |
29d3bdc4 | 66 | it is a grave security error to omit checking for a failure return from |
7d8d165a | 67 | .BR setuid (). |
fea681da MK |
68 | .SH ERRORS |
69 | .TP | |
70 | .B EAGAIN | |
25b2ea5f MK |
71 | The call would change the caller's real UID (i.e., |
72 | .I uid | |
73 | does not match the caller's real UID), | |
74 | but there was a temporary failure allocating the | |
75 | necessary kernel data structures. | |
76 | .TP | |
77 | .B EAGAIN | |
fea681da | 78 | .I uid |
7a42bf02 MK |
79 | does not match the real user ID of the caller and this call would |
80 | bring the number of processes belonging to the real user ID | |
fea681da | 81 | .I uid |
7a42bf02 | 82 | over the caller's |
0daa9e92 | 83 | .B RLIMIT_NPROC |
2f0af33b | 84 | resource limit. |
c4fe0edf MK |
85 | Since Linux 3.1, this error case no longer occurs |
86 | (but robust applications should check for this error); | |
87 | see the description of | |
88 | .B EAGAIN | |
89 | in | |
90 | .BR execve (2). | |
fea681da | 91 | .TP |
0076479c MK |
92 | .B EINVAL |
93 | The user ID specified in | |
94 | .I uid | |
95 | is not valid in this user namespace. | |
96 | .TP | |
fea681da MK |
97 | .B EPERM |
98 | The user is not privileged (Linux: does not have the | |
99 | .B CAP_SETUID | |
cd1c5b9d | 100 | capability in its user namespace) and |
fea681da | 101 | .I uid |
d9df8ff8 | 102 | does not match the real UID or saved set-user-ID of the calling process. |
47297adb | 103 | .SH CONFORMING TO |
e06cd2b4 | 104 | POSIX.1-2001, POSIX.1-2008, SVr4. |
97c1eac8 | 105 | Not quite compatible with the 4.4BSD call, which |
c13182ef | 106 | sets all of the real, saved, and effective user IDs. |
97c1eac8 | 107 | .\" SVr4 documents an additional EINVAL error condition. |
4fb31341 | 108 | .SH NOTES |
9ee4a2b6 | 109 | Linux has the concept of the filesystem user ID, normally equal to the |
c13182ef MK |
110 | effective user ID. |
111 | The | |
e511ffb6 | 112 | .BR setuid () |
9ee4a2b6 | 113 | call also sets the filesystem user ID of the calling process. |
fea681da MK |
114 | See |
115 | .BR setfsuid (2). | |
116 | .PP | |
117 | If | |
118 | .I uid | |
e6ce2419 | 119 | is different from the old effective UID, the process will |
fea681da | 120 | be forbidden from leaving core dumps. |
efeece04 | 121 | .PP |
dd09a14e MK |
122 | The original Linux |
123 | .BR setuid () | |
124 | system call supported only 16-bit user IDs. | |
c5662d5d | 125 | Subsequently, Linux 2.4 added |
dd09a14e MK |
126 | .BR setuid32 () |
127 | supporting 32-bit IDs. | |
128 | The glibc | |
129 | .BR setuid () | |
130 | wrapper function transparently deals with the variation across kernel versions. | |
84cb494f | 131 | .\" |
0722a578 | 132 | .SS C library/kernel differences |
84cb494f MK |
133 | At the kernel level, user IDs and group IDs are a per-thread attribute. |
134 | However, POSIX requires that all threads in a process | |
135 | share the same credentials. | |
136 | The NPTL threading implementation handles the POSIX requirements by | |
137 | providing wrapper functions for | |
138 | the various system calls that change process UIDs and GIDs. | |
139 | These wrapper functions (including the one for | |
140 | .BR setuid ()) | |
141 | employ a signal-based technique to ensure | |
142 | that when one thread changes credentials, | |
143 | all of the other threads in the process also change their credentials. | |
144 | For details, see | |
145 | .BR nptl (7). | |
47297adb | 146 | .SH SEE ALSO |
fea681da MK |
147 | .BR getuid (2), |
148 | .BR seteuid (2), | |
149 | .BR setfsuid (2), | |
150 | .BR setreuid (2), | |
53a1443c | 151 | .BR capabilities (7), |
0076479c | 152 | .BR credentials (7), |
f58fb24f | 153 | .BR user_namespaces (7) |