[thirdparty/man-pages.git] / man2 / setuid.2

.\" Copyright (C), 1994, Graeme W. Wilford (Wilf).
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.\" Fri Jul 29th 12:56:44 BST 1994  Wilf. <G.Wilford@ee.surrey.ac.uk>
.\" Changes inspired by patch from Richard Kettlewell
.\"   <richard@greenend.org.uk>, aeb 970616.
.\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com>
.\"     Added notes on capability requirements
.TH SETUID 2 2010-11-22 "Linux" "Linux Programmer's Manual"
.SH NAME
setuid \- set user identity
.SH SYNOPSIS
.B #include <sys/types.h>
.br
.B #include <unistd.h>
.sp
.BI "int setuid(uid_t " uid );
.SH DESCRIPTION
.BR setuid ()
sets the effective user ID of the calling process.
If the effective UID of the caller is root,
the real UID and saved set-user-ID are also set.
.PP
Under Linux,
.BR setuid ()
is implemented like the POSIX version with the
.B _POSIX_SAVED_IDS
feature.
This allows a set-user-ID (other than root) program to drop all of its user
privileges, do some un-privileged work, and then reengage the original
effective user ID in a secure manner.
.PP
If the user is root or the program is set-user-ID-root, special care must be
taken.
The
.BR setuid ()
function checks the effective user ID of the caller and if it is
the superuser, all process-related user ID's are set to
.IR uid .
After this has occurred, it is impossible for the program to regain root
privileges.
.PP
Thus, a set-user-ID-root program wishing to temporarily drop root
privileges, assume the identity of an unprivileged user, and then regain
root privileges afterward cannot use
.BR setuid ().
You can accomplish this with
.BR seteuid (2).
.SH RETURN VALUE
On success, zero is returned.
On error, \-1 is returned, and
.I errno
is set appropriately.

.IR Note :
there are cases where
.BR setuid ()
can fail even when the caller is UID 0;
it is a grave security error to omit checking for a failure return from
.BR setuid ().
.SH ERRORS
.TP
.B EAGAIN
The call would change the caller's real UID (i.e.,
.I uid
does not match the caller's real UID),
but there was a temporary failure allocating the
necessary kernel data structures.
.TP
.B EAGAIN
.I uid
does not match the real user ID of the caller and this call would
bring the number of processes belonging to the real user ID
.I uid
over the caller's
.B RLIMIT_NPROC
resource limit.
Since Linux 3.1, this error case no longer occurs
(but robust applications should check for this error);
see the description of
.B EAGAIN
in
.BR execve (2).
.TP
.B EPERM
The user is not privileged (Linux: does not have the
.B CAP_SETUID
capability) and
.I uid
does not match the real UID or saved set-user-ID of the calling process.
.SH CONFORMING TO
SVr4, POSIX.1-2001.
Not quite compatible with the 4.4BSD call, which
sets all of the real, saved, and effective user IDs.
.\" SVr4 documents an additional EINVAL error condition.
.SH NOTES
Linux has the concept of the filesystem user ID, normally equal to the
effective user ID.
The
.BR setuid ()
call also sets the filesystem user ID of the calling process.
See
.BR setfsuid (2).
.PP
If
.I uid
is different from the old effective UID, the process will
be forbidden from leaving core dumps.

The original Linux
.BR setuid ()
system call supported only 16-bit user IDs.
Subsequently, Linux 2.4 added
.BR setuid32 ()
supporting 32-bit IDs.
The glibc
.BR setuid ()
wrapper function transparently deals with the variation across kernel versions.
.SH SEE ALSO
.BR getuid (2),
.BR seteuid (2),
.BR setfsuid (2),
.BR setreuid (2),
.BR capabilities (7),
.BR credentials (7)
Commit	Line	Data
fea681da MK	1	.\" Copyright (C), 1994, Graeme W. Wilford (Wilf).
fea681da MK	2	.\"
93015253	3	.\" %%%LICENSE_START(VERBATIM)
fea681da MK	4	.\" Permission is granted to make and distribute verbatim copies of this
	5	.\" manual provided the copyright notice and this permission notice are
	6	.\" preserved on all copies.
	7	.\"
	8	.\" Permission is granted to copy and distribute modified versions of this
	9	.\" manual under the conditions for verbatim copying, provided that the
	10	.\" entire resulting derived work is distributed under the terms of a
	11	.\" permission notice identical to this one.
c13182ef	12	.\"
fea681da MK	13	.\" Since the Linux kernel and libraries are constantly changing, this
	14	.\" manual page may be incorrect or out-of-date. The author(s) assume no
	15	.\" responsibility for errors or omissions, or for damages resulting from
	16	.\" the use of the information contained herein. The author(s) may not
	17	.\" have taken the same level of care in the production of this manual,
	18	.\" which is licensed free of charge, as they might when working
	19	.\" professionally.
c13182ef	20	.\"
fea681da MK	21	.\" Formatted or processed versions of this manual, if unaccompanied by
fea681da MK	22	.\" the source, must acknowledge the copyright and authors of this work.
4b72fb64	23	.\" %%%LICENSE_END
fea681da	24	.\"
c13182ef	25	.\" Fri Jul 29th 12:56:44 BST 1994 Wilf. <G.Wilford@ee.surrey.ac.uk>
fea681da MK	26	.\" Changes inspired by patch from Richard Kettlewell
fea681da MK	27	.\" <richard@greenend.org.uk>, aeb 970616.
c11b1abf	28	.\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com>
fea681da	29	.\" Added notes on capability requirements
e6ce2419	30	.TH SETUID 2 2010-11-22 "Linux" "Linux Programmer's Manual"
fea681da MK	31	.SH NAME
	32	setuid \- set user identity
	33	.SH SYNOPSIS
	34	.B #include <sys/types.h>
	35	.br
	36	.B #include <unistd.h>
	37	.sp
	38	.BI "int setuid(uid_t " uid );
	39	.SH DESCRIPTION
e511ffb6	40	.BR setuid ()
a1ffe9f5	41	sets the effective user ID of the calling process.
d9df8ff8 MK	42	If the effective UID of the caller is root,
d9df8ff8 MK	43	the real UID and saved set-user-ID are also set.
fea681da	44	.PP
c13182ef	45	Under Linux,
e511ffb6	46	.BR setuid ()
8c4f34f8 MK	47	is implemented like the POSIX version with the
	48	.B _POSIX_SAVED_IDS
	49	feature.
880f5b4b	50	This allows a set-user-ID (other than root) program to drop all of its user
3b777aff	51	privileges, do some un-privileged work, and then reengage the original
fea681da MK	52	effective user ID in a secure manner.
fea681da MK	53	.PP
880f5b4b	54	If the user is root or the program is set-user-ID-root, special care must be
c13182ef MK	55	taken.
c13182ef MK	56	The
e511ffb6	57	.BR setuid ()
d3c8b3e9	58	function checks the effective user ID of the caller and if it is
28442c8f	59	the superuser, all process-related user ID's are set to
c13182ef	60	.IR uid .
fea681da MK	61	After this has occurred, it is impossible for the program to regain root
	62	privileges.
	63	.PP
880f5b4b	64	Thus, a set-user-ID-root program wishing to temporarily drop root
00b08db3	65	privileges, assume the identity of an unprivileged user, and then regain
5fab2e7c	66	root privileges afterward cannot use
e511ffb6	67	.BR setuid ().
821c0356	68	You can accomplish this with
0bfa087b	69	.BR seteuid (2).
47297adb	70	.SH RETURN VALUE
c13182ef MK	71	On success, zero is returned.
c13182ef MK	72	On error, \-1 is returned, and
fea681da MK	73	.I errno
fea681da MK	74	is set appropriately.
7d8d165a MK	75
	76	.IR Note :
	77	there are cases where
	78	.BR setuid ()
	79	can fail even when the caller is UID 0;
29d3bdc4	80	it is a grave security error to omit checking for a failure return from
7d8d165a	81	.BR setuid ().
fea681da MK	82	.SH ERRORS
	83	.TP
	84	.B EAGAIN
25b2ea5f MK	85	The call would change the caller's real UID (i.e.,
	86	.I uid
	87	does not match the caller's real UID),
	88	but there was a temporary failure allocating the
	89	necessary kernel data structures.
	90	.TP
	91	.B EAGAIN
fea681da	92	.I uid
7a42bf02 MK	93	does not match the real user ID of the caller and this call would
7a42bf02 MK	94	bring the number of processes belonging to the real user ID
fea681da	95	.I uid
7a42bf02	96	over the caller's
0daa9e92	97	.B RLIMIT_NPROC
2f0af33b	98	resource limit.
c4fe0edf MK	99	Since Linux 3.1, this error case no longer occurs
	100	(but robust applications should check for this error);
	101	see the description of
	102	.B EAGAIN
	103	in
	104	.BR execve (2).
fea681da MK	105	.TP
	106	.B EPERM
	107	The user is not privileged (Linux: does not have the
	108	.B CAP_SETUID
	109	capability) and
	110	.I uid
d9df8ff8	111	does not match the real UID or saved set-user-ID of the calling process.
47297adb	112	.SH CONFORMING TO
c13182ef	113	SVr4, POSIX.1-2001.
97c1eac8	114	Not quite compatible with the 4.4BSD call, which
c13182ef	115	sets all of the real, saved, and effective user IDs.
97c1eac8	116	.\" SVr4 documents an additional EINVAL error condition.
4fb31341	117	.SH NOTES
9ee4a2b6	118	Linux has the concept of the filesystem user ID, normally equal to the
c13182ef MK	119	effective user ID.
c13182ef MK	120	The
e511ffb6	121	.BR setuid ()
9ee4a2b6	122	call also sets the filesystem user ID of the calling process.
fea681da MK	123	See
	124	.BR setfsuid (2).
	125	.PP
	126	If
	127	.I uid
e6ce2419	128	is different from the old effective UID, the process will
fea681da	129	be forbidden from leaving core dumps.
dd09a14e MK	130
	131	The original Linux
	132	.BR setuid ()
	133	system call supported only 16-bit user IDs.
c5662d5d	134	Subsequently, Linux 2.4 added
dd09a14e MK	135	.BR setuid32 ()
	136	supporting 32-bit IDs.
	137	The glibc
	138	.BR setuid ()
	139	wrapper function transparently deals with the variation across kernel versions.
47297adb	140	.SH SEE ALSO
fea681da MK	141	.BR getuid (2),
	142	.BR seteuid (2),
	143	.BR setfsuid (2),
	144	.BR setreuid (2),
53a1443c MK	145	.BR capabilities (7),
53a1443c MK	146	.BR credentials (7)