1.\" 2.\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice(s), this list of conditions and the following disclaimer as 9.\" the first lines of this file unmodified other than the possible 10.\" addition of one or more copyright notices. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice(s), this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY 16.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18.\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY 19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 22.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 25.\" DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd January 23, 2019 30.Dt UCRED 9 31.Os 32.Sh NAME 33.Nm ucred , 34.Nm crget , 35.Nm crhold , 36.Nm crfree , 37.Nm crcopy , 38.Nm crdup , 39.Nm cru2x 40.Nd "functions related to user credentials" 41.Sh SYNOPSIS 42.In sys/param.h 43.In sys/ucred.h 44.Ft "struct ucred *" 45.Fn crget void 46.Ft "struct ucred *" 47.Fn crhold "struct ucred *cr" 48.Ft void 49.Fn crfree "struct ucred *cr" 50.Ft void 51.Fn crcopy "struct ucred *dest" "struct ucred *src" 52.Ft "struct ucred *" 53.Fn crcopysafe "struct proc *p" "struct ucred *cr" 54.Ft "struct ucred *" 55.Fn crdup "struct ucred *cr" 56.Ft void 57.Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups" 58.Ft void 59.Fn cru2x "struct ucred *cr" "struct xucred *xcr" 60.Sh DESCRIPTION 61The 62.Nm 63family of functions is used to manage user credential structures 64.Pq Vt "struct ucred" 65within the kernel. 66.Pp 67The 68.Fn crget 69function allocates memory 70for a new structure, sets its reference count to 1, and 71initializes its lock. 72.Pp 73The 74.Fn crhold 75function increases the reference count on the credential. 76.Pp 77The 78.Fn crfree 79function decreases the reference count on the credential. 80If the count drops to 0, the storage for the structure is freed. 81.Pp 82The 83.Fn crcopy 84function copies the contents of the source (template) 85credential into the destination template. 86The 87.Vt uidinfo 88structure within the destination is referenced 89by calling 90.Xr uihold 9 . 91.Pp 92The 93.Fn crcopysafe 94function copies the current credential associated with the process 95.Fa p 96into the newly allocated credential 97.Fa cr . 98The process lock on 99.Fa p 100must be held and will be dropped and reacquired as needed to allocate 101group storage space in 102.Fa cr . 103.Pp 104The 105.Fn crdup 106function allocates memory for a new structure and copies the 107contents of 108.Fa cr 109into it. 110The actual copying is performed by 111.Fn crcopy . 112.Pp 113The 114.Fn crsetgroups 115function sets the 116.Va cr_groups 117and 118.Va cr_ngroups 119variables and allocates space as needed. 120It also truncates the group list to the current maximum number of 121groups. 122No other mechanism should be used to modify the 123.Va cr_groups 124array except for updating the primary group via assignment to 125.Va cr_groups[0] . 126.Pp 127The 128.Fn cru2x 129function converts a 130.Vt ucred 131structure to an 132.Vt xucred 133structure. 134That is, 135it copies data from 136.Fa cr 137to 138.Fa xcr ; 139it ignores fields in the former that are not present in the latter 140(e.g., 141.Va cr_uidinfo ) , 142and appropriately sets fields in the latter that are not present in 143the former 144(e.g., 145.Va cr_version ) . 146.Pp 147.Sh RETURN VALUES 148.Fn crget , 149.Fn crhold , 150.Fn crdup , 151and 152.Fn crcopysafe 153all return a pointer to a 154.Vt ucred 155structure. 156.Sh USAGE NOTES 157As of 158.Fx 5.0 , 159the 160.Vt ucred 161structure contains extensible fields. 162This means that the correct protocol must always be followed to create 163a fresh and writable credential structure: new credentials must always 164be derived from existing credentials using 165.Fn crget , 166.Fn crcopy , 167and 168.Fn crcopysafe . 169.Pp 170In the common case, credentials required for access control decisions are 171used in a read-only manner. 172In these circumstances, the thread credential 173.Va td_ucred 174should be used, as it requires no locking to access safely, and remains stable 175for the duration of the call even in the face of a multi-threaded 176application changing the process credentials from another thread. 177.Pp 178During a process credential update, the process lock must be held across 179check and update, to prevent race conditions. 180The process credential, 181.Va td->td_proc->p_ucred , 182must be used both for check and update. 183If a process credential is updated during a system call and checks against 184the thread credential are to be made later during the same system call, 185the thread credential must also be refreshed from the process credential 186so as to prevent use of a stale value. 187To avoid this scenario, it is recommended that system calls updating the 188process credential be designed to avoid other authorization functions. 189.Pp 190If temporarily elevated privileges are required for a thread, the thread 191credential can by replaced for the duration of an activity, or for 192the remainder of the system call. 193However, as a thread credential is often shared, appropriate care should be 194taken to make sure modifications are made to a writable credential 195through the use of 196.Fn crget 197and 198.Fn crcopy . 199.Pp 200Caution should be exercised when checking authorization for a thread or 201process perform an operation on another thread or process. 202As a result of temporary elevation, the target thread credential should 203.Em never 204be used as the target credential in an access control decision: the process 205credential associated with the thread, 206.Va td->td_proc->p_ucred , 207should be used instead. 208For example, 209.Xr p_candebug 9 210accepts a target process, not a target thread, for access control purposes. 211.Sh SEE ALSO 212.Xr uihold 9 213.Sh AUTHORS 214This manual page was written by 215.An Chad David Aq Mt davidc@acns.ab.ca . 216