xref: /freebsd/lib/libsys/setuid.2 (revision 1edb7116) 
1.\" Copyright (c) 1983, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd December 15, 2015
29.Dt SETUID 2
30.Os
31.Sh NAME
32.Nm setuid ,
33.Nm seteuid ,
34.Nm setgid ,
35.Nm setegid
36.Nd set user and group ID
37.Sh LIBRARY
38.Lb libc
39.Sh SYNOPSIS
40.In unistd.h
41.Ft int
42.Fn setuid "uid_t uid"
43.Ft int
44.Fn seteuid "uid_t euid"
45.Ft int
46.Fn setgid "gid_t gid"
47.Ft int
48.Fn setegid "gid_t egid"
49.Sh DESCRIPTION
50The
51.Fn setuid
52system call
53sets the real and effective
54user IDs and the saved set-user-ID of the current process
55to the specified value.
56.\" Comment out next block for !_POSIX_SAVED_IDS
57.\" The real user ID and the saved set-user-ID are changed only if the
58.\" effective user ID is that of the super user.
59.\" I.e.
60.\" .Fn setuid
61.\" system call is equal to
62.\" .Fn seteuid
63.\" system call if the effective user ID is not that of the super user.
64.\" End of block
65The
66.Fn setuid
67system call is permitted if the specified ID is equal to the real user ID
68.\" Comment out next line for !_POSIX_SAVED_IDS
69.\" or the saved set-user-ID
70.\" Next line is for Appendix B.4.2.2 case.
71or the effective user ID
72of the process, or if the effective user ID is that of the super user.
73.Pp
74The
75.Fn setgid
76system call
77sets the real and effective
78group IDs and the saved set-group-ID of the current process
79to the specified value.
80.\" Comment out next block for !_POSIX_SAVED_IDS
81.\" The real group ID and the saved set-group-ID are changed only if the
82.\" effective user ID is that of the super user.
83.\" I.e.
84.\" .Fn setgid
85.\" system call is equal to
86.\" .Fn setegid
87.\" system call if the effective user ID is not that of the super user.
88.\" End of block
89The
90.Fn setgid
91system call is permitted if the specified ID is equal to the real group ID
92.\" Comment out next line for !_POSIX_SAVED_IDS
93.\" or the saved set-group-ID
94.\" Next line is for Appendix B.4.2.2 case.
95or the effective group ID
96of the process, or if the effective user ID is that of the super user.
97.Pp
98The
99.Fn seteuid
100system call
101.Pq Fn setegid
102sets the effective user ID (group ID) of the
103current process.
104The effective user ID may be set to the value
105of the real user ID or the saved set-user-ID (see
106.Xr intro 2
107and
108.Xr execve 2 ) ;
109in this way, the effective user ID of a set-user-ID executable
110may be toggled by switching to the real user ID, then re-enabled
111by reverting to the set-user-ID value.
112Similarly, the effective group ID may be set to the value
113of the real group ID or the saved set-group-ID.
114.Sh RETURN VALUES
115.Rv -std
116.Sh ERRORS
117The system calls will fail if:
118.Bl -tag -width Er
119.It Bq Er EPERM
120The user is not the super user and the ID
121specified is not the real, effective ID, or saved ID.
122.El
123.Sh SEE ALSO
124.Xr getgid 2 ,
125.Xr getuid 2 ,
126.Xr issetugid 2 ,
127.Xr setregid 2 ,
128.Xr setreuid 2
129.Sh STANDARDS
130The
131.Fn setuid
132and
133.Fn setgid
134system calls are compliant with the
135.St -p1003.1-90
136specification with
137.Li _POSIX_SAVED_IDS
138.\" Uncomment next line for !_POSIX_SAVED_IDS
139not
140defined with the permitted extensions from Appendix B.4.2.2.
141The
142.Fn seteuid
143and
144.Fn setegid
145system calls are extensions based on the
146.Tn POSIX
147concept of
148.Li _POSIX_SAVED_IDS ,
149and have been proposed for a future revision of the standard.
150.Sh HISTORY
151The
152.Fn setuid
153function appeared in
154.At v1 .
155The
156.Fn setgid
157function appeared in
158.At v4 .
159.Sh SECURITY CONSIDERATIONS
160Read and write permissions to files are determined upon a call to
161.Xr open 2 .
162Once a file descriptor is open, dropping privilege does not affect
163the process's read/write permissions, even if the user ID specified
164has no read or write permissions to the file.
165These files normally remain open in any new process executed,
166resulting in a user being able to read or modify
167potentially sensitive data.
168.Pp
169To prevent these files from remaining open after an
170.Xr exec 3
171call, be sure to set the close-on-exec flag:
172.Bd -literal
173void
174pseudocode(void)
175{
176	int fd;
177	/* ... */
178
179	fd = open("/path/to/sensitive/data", O_RDWR | O_CLOEXEC);
180	if (fd == -1)
181		err(1, "open");
182
183	/* ... */
184	execve(path, argv, environ);
185}
186.Ed
187