/share/man/man9/ucred.9

https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 236 lines · 236 code · 0 blank · 0 comment · 0 complexity · 83f8552efbe26d6756d2334dc52dc1c1 MD5 · raw file

  1. .\"
  2. .\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
  3. .\"
  4. .\" Redistribution and use in source and binary forms, with or without
  5. .\" modification, are permitted provided that the following conditions
  6. .\" are met:
  7. .\" 1. Redistributions of source code must retain the above copyright
  8. .\" notice(s), this list of conditions and the following disclaimer as
  9. .\" the first lines of this file unmodified other than the possible
  10. .\" addition of one or more copyright notices.
  11. .\" 2. Redistributions in binary form must reproduce the above copyright
  12. .\" notice(s), this list of conditions and the following disclaimer in the
  13. .\" documentation and/or other materials provided with the distribution.
  14. .\"
  15. .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
  16. .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  17. .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  18. .\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
  19. .\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  20. .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  21. .\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  22. .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  23. .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  24. .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
  25. .\" DAMAGE.
  26. .\"
  27. .\" $FreeBSD$
  28. .\"
  29. .Dd June 19, 2009
  30. .Dt UCRED 9
  31. .Os
  32. .Sh NAME
  33. .Nm ucred ,
  34. .Nm crget ,
  35. .Nm crhold ,
  36. .Nm crfree ,
  37. .Nm crshared ,
  38. .Nm crcopy ,
  39. .Nm crdup ,
  40. .Nm cru2x ,
  41. .Nm cred_update_thread
  42. .Nd "functions related to user credentials"
  43. .Sh SYNOPSIS
  44. .In sys/param.h
  45. .In sys/ucred.h
  46. .Ft "struct ucred *"
  47. .Fn crget void
  48. .Ft "struct ucred *"
  49. .Fn crhold "struct ucred *cr"
  50. .Ft void
  51. .Fn crfree "struct ucred *cr"
  52. .Ft int
  53. .Fn crshared "struct ucred *cr"
  54. .Ft void
  55. .Fn crcopy "struct ucred *dest" "struct ucred *src"
  56. .Ft "struct ucred *"
  57. .Fn crcopysafe "struct proc *p" "struct ucred *cr"
  58. .Ft "struct ucred *"
  59. .Fn crdup "struct ucred *cr"
  60. .Ft void
  61. .Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups"
  62. .Ft void
  63. .Fn cru2x "struct ucred *cr" "struct xucred *xcr"
  64. .Ft void
  65. .Fn cred_update_thread "struct thread *td"
  66. .Sh DESCRIPTION
  67. The
  68. .Nm
  69. family of functions is used to manage user credential structures
  70. .Pq Vt "struct ucred"
  71. within the kernel.
  72. .Pp
  73. The
  74. .Fn crget
  75. function allocates memory
  76. for a new structure, sets its reference count to 1, and
  77. initializes its lock.
  78. .Pp
  79. The
  80. .Fn crhold
  81. function increases the reference count on the credential.
  82. .Pp
  83. The
  84. .Fn crfree
  85. function decreases the reference count on the credential.
  86. If the count drops to 0, the storage for the structure is freed.
  87. .Pp
  88. The
  89. .Fn crshared
  90. function returns true if the credential is shared.
  91. A credential is considered to be shared if its reference
  92. count is greater than one.
  93. .Pp
  94. The
  95. .Fn crcopy
  96. function copies the contents of the source (template)
  97. credential into the destination template.
  98. The
  99. .Vt uidinfo
  100. structure within the destination is referenced
  101. by calling
  102. .Xr uihold 9 .
  103. .Pp
  104. The
  105. .Fn crcopysafe
  106. function copies the current credential associated with the process
  107. .Fa p
  108. into the newly allocated credential
  109. .Fa cr .
  110. The process lock on
  111. .Fa p
  112. must be held and will be dropped and reacquired as needed to allocate
  113. group storage space in
  114. .Fa cr .
  115. .Pp
  116. The
  117. .Fn crdup
  118. function allocates memory for a new structure and copies the
  119. contents of
  120. .Fa cr
  121. into it.
  122. The actual copying is performed by
  123. .Fn crcopy .
  124. .Pp
  125. The
  126. .Fn crsetgroups
  127. function sets the
  128. .Va cr_groups
  129. and
  130. .Va cr_ngroups
  131. variables and allocates space as needed.
  132. It also truncates the group list to the current maximum number of
  133. groups.
  134. No other mechanism should be used to modify the
  135. .Va cr_groups
  136. array except for updating the primary group via assignment to
  137. .Va cr_groups[0] .
  138. .Pp
  139. The
  140. .Fn cru2x
  141. function converts a
  142. .Vt ucred
  143. structure to an
  144. .Vt xucred
  145. structure.
  146. That is,
  147. it copies data from
  148. .Fa cr
  149. to
  150. .Fa xcr ;
  151. it ignores fields in the former that are not present in the latter
  152. (e.g.,
  153. .Va cr_uidinfo ) ,
  154. and appropriately sets fields in the latter that are not present in
  155. the former
  156. (e.g.,
  157. .Va cr_version ) .
  158. .Pp
  159. The
  160. .Fn cred_update_thread
  161. function sets the credentials of
  162. .Fa td
  163. to that of its process, freeing its old credential if required.
  164. .Sh RETURN VALUES
  165. .Fn crget ,
  166. .Fn crhold ,
  167. .Fn crdup ,
  168. and
  169. .Fn crcopysafe
  170. all return a pointer to a
  171. .Vt ucred
  172. structure.
  173. .Pp
  174. .Fn crshared
  175. returns 0 if the credential has a reference count greater than 1;
  176. otherwise, 1 is returned.
  177. .Sh USAGE NOTES
  178. As of
  179. .Fx 5.0 ,
  180. the
  181. .Vt ucred
  182. structure contains extensible fields.
  183. This means that the correct protocol must always be followed to create
  184. a fresh and writable credential structure: new credentials must always
  185. be derived from existing credentials using
  186. .Fn crget ,
  187. .Fn crcopy ,
  188. and
  189. .Fn crcopysafe .
  190. .Pp
  191. In the common case, credentials required for access control decisions are
  192. used in a read-only manner.
  193. In these circumstances, the thread credential
  194. .Va td_ucred
  195. should be used, as it requires no locking to access safely, and remains stable
  196. for the duration of the call even in the face of a multi-threaded
  197. application changing the process credentials from another thread.
  198. .Pp
  199. During a process credential update, the process lock must be held across
  200. check and update, to prevent race conditions.
  201. The process credential,
  202. .Va td->td_proc->p_ucred ,
  203. must be used both for check and update.
  204. If a process credential is updated during a system call and checks against
  205. the thread credential are to be made later during the same system call,
  206. the thread credential must also be refreshed from the process credential
  207. so as to prevent use of a stale value.
  208. To avoid this scenario, it is recommended that system calls updating the
  209. process credential be designed to avoid other authorization functions.
  210. .Pp
  211. If temporarily elevated privileges are required for a thread, the thread
  212. credential can by replaced for the duration of an activity, or for
  213. the remainder of the system call.
  214. However, as a thread credential is often shared, appropriate care should be
  215. taken to make sure modifications are made to a writable credential
  216. through the use of
  217. .Fn crget
  218. and
  219. .Fn crcopy .
  220. .Pp
  221. Caution should be exercised when checking authorization for a thread or
  222. process perform an operation on another thread or process.
  223. As a result of temporary elevation, the target thread credential should
  224. .Em never
  225. be used as the target credential in an access control decision: the process
  226. credential associated with the thread,
  227. .Va td->td_proc->p_ucred ,
  228. should be used instead.
  229. For example,
  230. .Xr p_candebug 9
  231. accepts a target process, not a target thread, for access control purposes.
  232. .Sh SEE ALSO
  233. .Xr uihold 9
  234. .Sh AUTHORS
  235. This manual page was written by
  236. .An Chad David Aq davidc@acns.ab.ca .