The following people contributed notes, ideas, or patches that have
been incorporated in changes in this release:
-### Andries Brouwer <Andries.Brouwer@cwi.nl>
+Andries Brouwer <Andries.Brouwer@cwi.nl>
### Joey (Martin) Schulze <joey@infodrom.org>
+Mike Frysinger <vapier@gentoo.org>
Apologies if I missed anyone!
Global changes
--------------
+The terms "set-user-ID" and "set-group-ID" are now used consistently
+(no abbreviations) accorss all manual pages.
+
Typographical or grammatical errors have been corrected in several
places.
Changes to individual pages
---------------------------
+
+stat.2
+ Mike Frysinger
+ Improve description of st_dev and st_rdev.
+ mtk
+ Various wording and formatting improvements.
who owns the file currently has for it (u), the permissions that other
users in the file's group have for it (g), and the permissions that
other users not in the file's group have for it (o).
-(Thus, `chmod g\-s file' removes the set-group-ID (sgid) bit,
-\&`chmod ug+s file' sets both the suid and sgid bits, while
+(Thus, `chmod g\-s file' removes the set-group-ID bit,
+\&`chmod ug+s file' sets both the set-user-ID and set-group-ID bits, while
\&`chmod o+s file' does nothing.)
.PP
The name of the `sticky bit' derives from the original meaning:
POSIX 1003.2 only requires the \-R option. Use of other options
may not be portable. This standard does not describe the 't' permission
bit. This standard does not specify whether \fBchmod\fP must preserve
-consistency by clearing or refusing to set the suid and sgid
+consistency by clearing or refusing to set the set-user-ID and set-group-ID
bits, e.g., when all execute bits are cleared, or whether \fBchmod\fP
honors the `s' bit at all.
.SH "NONSTANDARD MODES"
meaningless combinations of mode bits.
In particular, Linux, following System V (see
System V Interface Definition (SVID) Version 3),
-lets the sgid bit for files without group execute permission
-mark the file for mandatory locking. For more details, see
+uses the combination of having the set-group-ID bit enabled
+while group execute bit is disabled to mean that
+mandatory locking is enabled for the file.
+For more details, see
the file
.IR /usr/src/linux/Documentation/mandatory.txt .
.SH NOTES
.TP
.B \-p
Preserve the original files' owner, group, permissions
-(including the setuid and setgid bits), time of last modification
+(including the set-user-ID and set-group-ID bits), time of last modification
and time of last access.
-In case duplication of owner or group fails, the setuid and setgid
-bits are cleared.
+In case duplication of owner or group fails,
+the set-user-ID and set-group-ID bits are cleared.
(Note that afterwards source and copy may well have different
times of last access, since the copy operation is an access
to the source file.)
.RS
.TP
.B s
-If the setuid or setgid bit and the corresponding executable bit are
-both set.
+If the set-user-ID or set-group-ID bit and the corresponding
+executable bit are both set.
.TP
.B S
-If the setuid or setgid bit is set but the corresponding executable bit
-is not set.
+If the set-user-ID or set-group-ID bit is set
+but the corresponding executable bit is not set.
.TP
.B t
If the sticky bit and the other-executable bit are both set.
and then deleted.
.B mv
will copy modification time, access time, user and group ID, and mode
-if possible. When copying user and/or group ID fails, the setuid and
-setgid bits are cleared in the copy.
+if possible.
+When copying user and/or group ID fails, the set-user-ID and
+set-group-ID bits are cleared in the copy.
.SH "POSIX OPTIONS"
.TP
.B "\-f"
The check is done with the process's
.I real
UID and GID, rather than with the effective IDs as is done when
-actually attempting an operation. This is to allow set-UID programs to
+actually attempting an operation.
+This is to allow set-user-ID programs to
easily determine the invoking user's authority.
Only access bits are checked, not the file type or contents. Therefore, if
If the current program is being ptraced, a \fBSIGTRAP\fP is sent to it
after a successful \fBexecve()\fP.
-If the set-uid bit is set on the program file pointed to by
+If the set-user-ID bit is set on the program file pointed to by
\fIfilename\fP, and the calling process is not being ptraced,
then the effective user ID of the calling process is changed
-to that of the owner of the program file. Similarly, when the set-gid
+to that of the owner of the program file. Similarly, when the set-group-ID
bit of the program file is set the effective group ID of the calling
process is set to the group of the program file.
.BR mount (8))
for the file system containing the
file to be locked and enabled on the file itself (by disabling
-group execute permission on the file and enabling the set-GID
+group execute permission on the file and enabling the set-group-ID
permission bit).
Advisory locks are not enforced and are useful only between
.\" users cannot execute files uploaded using ftp or so.)
.TP
.B MS_NOSUID
-Do not honour set-UID and set-GID bits when executing
+Do not honour set-user-ID and set-group-ID bits when executing
programs from this file system.
-.\" (This is a security feature to prevent users executing set-UID and
-.\" set-GID programs from removable disk devices.)
+.\" (This is a security feature to prevent users executing set-user-ID and
+.\" set-group-ID programs from removable disk devices.)
.TP
.B MS_RDONLY
Mount file system read-only.
The original MS_SYNC flag was renamed MS_SYNCHRONOUS in 1.1.69
when a different MS_SYNC was added to <mman.h>.
.LP
-Before Linux 2.4 an attempt to execute a set-UID or set-GID program
+Before Linux 2.4 an attempt to execute a set-user-ID or set-group-ID program
on a filesystem mounted with
.B MS_NOSUID
would fail with
.BR EPERM .
-Since Linux 2.4 the set-UID and set-GID bits are just silently ignored
-in this case.
+Since Linux 2.4 the set-user-ID and set-group-ID bits are
+just silently ignored in this case.
.\" The change is in patch-2.4.0-prerelease.
.SH "SEE ALSO"
.BR path_resolution (2),
for this process upon delivery of a signal whose default behaviour is
to produce a core dump.
(Normally this flag is set for a process by default, but it is cleared
-when a set-UID or set-GID program is executed and also by various system
-calls that manipulate process UIDs and GIDs).
+when a set-user-ID or set-group-ID program is executed and also by
+various system calls that manipulate process UIDs and GIDs).
.I arg2
must be either 0 (process is not dumpable) or 1 (process is dumpable).
.TP
parent has insufficient privileges (the required capability is
.BR CAP_SYS_PTRACE );
non-root processes cannot trace processes that they
-cannot send signals to or those running setuid/setgid programs, for obvious
-reasons. Alternatively, the process may already be being traced, or be
+cannot send signals to or those running set-user-ID/set-group-ID programs,
+for obvious reasons.
+Alternatively, the process may already be being traced, or be
.BR init
(pid 1).
.TP
Under Linux,
.B setgid
is implemented like the POSIX version with the _POSIX_SAVED_IDS feature.
-This allows a setgid program that is not suid root to drop all of its group
+This allows a set-group-ID program that is not set-user-ID-root root
+to drop all of its group
privileges, do some un-privileged work, and then re-engage the original
effective group ID in a secure manner.
.SH "RETURN VALUE"
Under Linux,
.B setuid
is implemented like the POSIX version with the _POSIX_SAVED_IDS feature.
-This allows a setuid (other than root) program to drop all of its user
+This allows a set-user-ID (other than root) program to drop all of its user
privileges, do some un-privileged work, and then re-engage the original
effective user ID in a secure manner.
.PP
-If the user is root or the program is setuid root, special care must be
+If the user is root or the program is set-user-ID-root, special care must be
taken. The
.B setuid
function checks the effective user ID of the caller and if it is
After this has occurred, it is impossible for the program to regain root
privileges.
.PP
-Thus, a setuid-root program wishing to temporarily drop root
+Thus, a set-user-ID-root program wishing to temporarily drop root
privileges, assume the identity of a non-root user, and then regain
root privileges afterwards cannot use
.BR setuid .
Read-only file system.
.TP
.B ST_NOSUID
-Setuid/setgid bits are ignored by
+Set-user-ID/set-group-ID bits are ignored by
.BR exec (2).
.LP
The file pointer is not changed.
.LP
If the size changed, then the ctime and mtime fields for the file
-are updated, and suid and sgid mode bits may be cleared.
+are updated,
+and set-user-ID and set-group-ID permission bits may be cleared.
.LP
With
.BR ftruncate ,
.BR LD_LIBRARY_PATH
is defined to contain a colon-separated list of directories,
then these are searched.
-(As a security measure this variable is ignored for set-UID and
-set-GID programs.)
+(As a security measure this variable is ignored for set-user-ID and
+set-group-ID programs.)
.IP o
(ELF only) If the executable file for the calling program
contains a DT_RUNPATH tag, then the directories listed in that tag
.PP
These functions let your program identify positively the user who is
running (\fBcuserid\fP) or the user who logged in this session
-(\fBgetlogin\fP). (These can differ when setuid programs are
+(\fBgetlogin\fP). (These can differ when set-user-ID programs are
involved.)
.PP
For most purposes, it is more useful to use the environment variable
.SH NOTES
This is part of the Unix98 pty support, see
.BR pts (4).
-Many systems implement this function via a setuid helper binary
+Many systems implement this function via a set-user-ID helper binary
called "pt_chown". With Linux devpts no such helper binary is required.
.SH "SEE ALSO"
.BR open (2),
.PP
Do not use
.BR system ()
-from a program with set-UID or set-GID privileges,
+from a program with set-user-ID or set-group-ID privileges,
because strange values for some environment variables
might be used to subvert system integrity.
Use the
or
.BR execvp (3).
.BR system ()
-will not, in fact, work properly from programs with set-UID or set-GID
-privileges on systems on which
+will not, in fact, work properly from programs with set-user-ID or
+set-group-ID privileges on systems on which
.I /bin/sh
is bash version 2, since bash 2 drops privileges on startup.
(Debian uses a modified bash which does not do this when invoked as
.LP
.SH NOTES
SUSv2 does not mention the use of TMPDIR; glibc will use it only
-when the program is not suid.
+when the program is not set-user-ID.
SVID2 specifies that the directory used under (iv) is
.IR /tmp .
SVID2 specifies that the string returned by
(i.e., a limiting superset for the effective and inheritable sets).
If a process drops a capability from its permitted set,
it can never re-acquire that capability (unless it execs a
-set-UID-root program).
+set-user-ID-root program).
.TP
.IR inheritable :
the capabilities preserved across an
In the current implementation, a process is granted all permitted and
effective capabilities (subject to the operation of the
capability bounding set described below)
-when it execs a set-UID-root program,
+when it execs a set-user-ID-root program,
or if a process with a real UID of zero execs a new program.
.PP
A child created via
.IP 1. 4
All three file capability sets are initially assumed to be cleared.
.IP 2. 4
-If a set-UID-root program is being execed,
+If a set-user-ID-root program is being execed,
or the real user ID of the process is 0 (root)
then the file allowed and forced sets are defined to be all ones
(i.e., all capabilities set).
.IP 3. 4
-If a set-UID-root program is being executed,
+If a set-user-ID-root program is being executed,
then the file effective set is defined to be all ones.
.PP
During an exec, the kernel calculates the new capabilities of
it should have the same PID as the main thread.
.IP \- 3
Threads do not share user and group IDs.
-This can cause complications with set-UID programs and
+This can cause complications with set-user-ID programs and
can cause failures in Pthreads functions if an application
changes its credentials using
.BR seteuid (2)
.IP o
Using the environment variable
.BR LD_LIBRARY_PATH .
-Except if the executable is a setuid/setgid binary, in which case it
-is ignored.
+Except if the executable is a set-user-ID/set-group-ID binary,
+in which case it is ignored.
.IP o
(ELF only) Using the DT_RUNPATH dynamic section attribute
of the binary if present.
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others.
This can be used to selectively override functions in other shared libraries.
-For setuid/setgid ELF binaries, only libraries in the standard search
-directories that are also setuid will be loaded.
+For set-user-ID/set-group-ID ELF binaries,
+only libraries in the standard search
+directories that are also set-user-ID will be loaded.
.TP
.B LD_BIND_NOW
(libc5; glibc since 2.1.1)
File where
.B LD_DEBUG
output should be fed into, default is standard output.
-LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries.
+LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries.
.TP
.B LD_VERBOSE
(glibc since 2.1)
File where
.B LD_PROFILE
output should be stored, default is standard output.
-LD_DEBUG_OUTPUT is ignored for setuid/setgid binaries.
+LD_DEBUG_OUTPUT is ignored for set-user-ID/set-group-ID binaries.
.TP
.B LD_AOUT_LIBRARY_PATH
(libc5)
.TP
.B LD_ORIGIN_PATH
(glibc since 2.1)
-Path where the binary is found (for non-setuid programs).
+Path where the binary is found (for non-set-user-ID programs).
.TP
.B LD_DYNAMIC_WEAK
(glibc since 2.1.91)