| .\" Copyright (C) 1995, Thomas K. Dyas <tdyas@eden.rutgers.edu> |
| .\" and Copyright (C) 2013, 2019, Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" |
| .\" %%%LICENSE_START(VERBATIM) |
| .\" Permission is granted to make and distribute verbatim copies of this |
| .\" manual provided the copyright notice and this permission notice are |
| .\" preserved on all copies. |
| .\" |
| .\" Permission is granted to copy and distribute modified versions of this |
| .\" manual under the conditions for verbatim copying, provided that the |
| .\" entire resulting derived work is distributed under the terms of a |
| .\" permission notice identical to this one. |
| .\" |
| .\" Since the Linux kernel and libraries are constantly changing, this |
| .\" manual page may be incorrect or out-of-date. The author(s) assume no |
| .\" responsibility for errors or omissions, or for damages resulting from |
| .\" the use of the information contained herein. The author(s) may not |
| .\" have taken the same level of care in the production of this manual, |
| .\" which is licensed free of charge, as they might when working |
| .\" professionally. |
| .\" |
| .\" Formatted or processed versions of this manual, if unaccompanied by |
| .\" the source, must acknowledge the copyright and authors of this work. |
| .\" %%%LICENSE_END |
| .\" |
| .\" Created 1995-08-06 Thomas K. Dyas <tdyas@eden.rutgers.edu> |
| .\" Modified 2000-07-01 aeb |
| .\" Modified 2002-07-23 aeb |
| .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" Added notes on capability requirements |
| .\" |
| .TH SETFSUID 2 2017-09-15 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| setfsuid \- set user identity used for filesystem checks |
| .SH SYNOPSIS |
| .B #include <sys/fsuid.h> |
| .PP |
| .BI "int setfsuid(uid_t " fsuid ); |
| .SH DESCRIPTION |
| On Linux, a process has both a filesystem user ID and an effective user ID. |
| The (Linux-specific) filesystem user ID is used |
| for permissions checking when accessing filesystem objects, |
| while the effective user ID is used for various other kinds |
| of permissions checks (see |
| .BR credentials (7)). |
| .PP |
| Normally, the value of the process's filesystem user ID |
| is the same as the value of its effective user ID. |
| This is so, because whenever a process's effective user ID is changed, |
| the kernel also changes the filesystem user ID to be the same as |
| the new value of the effective user ID. |
| A process can cause the value of its filesystem user ID to diverge |
| from its effective user ID by using |
| .BR setfsuid () |
| to change its filesystem user ID to the value given in |
| .IR fsuid . |
| .PP |
| Explicit calls to |
| .BR setfsuid () |
| and |
| .BR setfsgid (2) |
| are (were) usually used only by programs such as the Linux NFS server that |
| need to change what user and group ID is used for file access without a |
| corresponding change in the real and effective user and group IDs. |
| A change in the normal user IDs for a program such as the NFS server |
| is (was) a security hole that can expose it to unwanted signals. |
| (However, this issue is historical; see below.) |
| .PP |
| .BR setfsuid () |
| will succeed only if the caller is the superuser or if |
| .I fsuid |
| matches either the caller's real user ID, effective user ID, |
| saved set-user-ID, or current filesystem user ID. |
| .SH RETURN VALUE |
| On both success and failure, |
| this call returns the previous filesystem user ID of the caller. |
| .SH VERSIONS |
| This system call is present in Linux since version 1.2. |
| .\" This system call is present since Linux 1.1.44 |
| .\" and in libc since libc 4.7.6. |
| .SH CONFORMING TO |
| .BR setfsuid () |
| is Linux-specific and should not be used in programs intended |
| to be portable. |
| .SH NOTES |
| At the time when this system call was introduced, one process |
| could send a signal to another process with the same effective user ID. |
| This meant that if a privileged process changed its effective user ID |
| for the purpose of file permission checking, |
| then it could become vulnerable to receiving signals |
| sent by another (unprivileged) process with the same user ID. |
| The filesystem user ID attribute was thus added to allow a process to |
| change its user ID for the purposes of file permission checking without |
| at the same time becoming vulnerable to receiving unwanted signals. |
| Since Linux 2.0, signal permission handling is different (see |
| .BR kill (2)), |
| with the result that a process change can change its effective user ID |
| without being vulnerable to receiving signals from unwanted processes. |
| Thus, |
| .BR setfsuid () |
| is nowadays unneeded and should be avoided in new applications |
| (likewise for |
| .BR setfsgid (2)). |
| .PP |
| The original Linux |
| .BR setfsuid () |
| system call supported only 16-bit user IDs. |
| Subsequently, Linux 2.4 added |
| .BR setfsuid32 () |
| supporting 32-bit IDs. |
| The glibc |
| .BR setfsuid () |
| wrapper function transparently deals with the variation across kernel versions. |
| .SS C library/kernel differences |
| In glibc 2.15 and earlier, |
| when the wrapper for this system call determines that the argument can't be |
| passed to the kernel without integer truncation (because the kernel |
| is old and does not support 32-bit user IDs), |
| it will return \-1 and set \fIerrno\fP to |
| .B EINVAL |
| without attempting |
| the system call. |
| .SH BUGS |
| No error indications of any kind are returned to the caller, |
| and the fact that both successful and unsuccessful calls return |
| the same value makes it impossible to directly determine |
| whether the call succeeded or failed. |
| Instead, the caller must resort to looking at the return value |
| from a further call such as |
| .IR setfsuid(\-1) |
| (which will always fail), in order to determine if a preceding call to |
| .BR setfsuid () |
| changed the filesystem user ID. |
| At the very |
| least, |
| .B EPERM |
| should be returned when the call fails (because the caller lacks the |
| .B CAP_SETUID |
| capability). |
| .SH SEE ALSO |
| .BR kill (2), |
| .BR setfsgid (2), |
| .BR capabilities (7), |
| .BR credentials (7) |