| .\" Copyright (C), 1994, Graeme W. Wilford (Wilf). |
| .\" and Copyright (C) 2010, 2014, 2015, Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" |
| .\" %%%LICENSE_START(VERBATIM) |
| .\" Permission is granted to make and distribute verbatim copies of this |
| .\" manual provided the copyright notice and this permission notice are |
| .\" preserved on all copies. |
| .\" |
| .\" Permission is granted to copy and distribute modified versions of this |
| .\" manual under the conditions for verbatim copying, provided that the |
| .\" entire resulting derived work is distributed under the terms of a |
| .\" permission notice identical to this one. |
| .\" |
| .\" Since the Linux kernel and libraries are constantly changing, this |
| .\" manual page may be incorrect or out-of-date. The author(s) assume no |
| .\" responsibility for errors or omissions, or for damages resulting from |
| .\" the use of the information contained herein. The author(s) may not |
| .\" have taken the same level of care in the production of this manual, |
| .\" which is licensed free of charge, as they might when working |
| .\" professionally. |
| .\" |
| .\" Formatted or processed versions of this manual, if unaccompanied by |
| .\" the source, must acknowledge the copyright and authors of this work. |
| .\" %%%LICENSE_END |
| .\" |
| .\" Fri Jul 29th 12:56:44 BST 1994 Wilf. <G.Wilford@ee.surrey.ac.uk> |
| .\" Changes inspired by patch from Richard Kettlewell |
| .\" <richard@greenend.org.uk>, aeb 970616. |
| .\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" Added notes on capability requirements |
| .TH SETUID 2 2017-09-15 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| setuid \- set user identity |
| .SH SYNOPSIS |
| .B #include <sys/types.h> |
| .br |
| .B #include <unistd.h> |
| .PP |
| .BI "int setuid(uid_t " uid ); |
| .SH DESCRIPTION |
| .BR setuid () |
| sets the effective user ID of the calling process. |
| If the calling process is privileged |
| (more precisely: if the process has the |
| .BR CAP_SETUID |
| capability in its user namespace), |
| the real UID and saved set-user-ID are also set. |
| .PP |
| Under Linux, |
| .BR setuid () |
| is implemented like the POSIX version with the |
| .B _POSIX_SAVED_IDS |
| feature. |
| This allows a set-user-ID (other than root) program to drop all of its user |
| privileges, do some un-privileged work, and then reengage the original |
| effective user ID in a secure manner. |
| .PP |
| If the user is root or the program is set-user-ID-root, special care must be |
| taken: |
| .BR setuid () |
| checks the effective user ID of the caller and if it is |
| the superuser, all process-related user ID's are set to |
| .IR uid . |
| After this has occurred, it is impossible for the program to regain root |
| privileges. |
| .PP |
| Thus, a set-user-ID-root program wishing to temporarily drop root |
| privileges, assume the identity of an unprivileged user, and then regain |
| root privileges afterward cannot use |
| .BR setuid (). |
| You can accomplish this with |
| .BR seteuid (2). |
| .SH RETURN VALUE |
| On success, zero is returned. |
| On error, \-1 is returned, and |
| .I errno |
| is set appropriately. |
| .PP |
| .IR Note : |
| there are cases where |
| .BR setuid () |
| can fail even when the caller is UID 0; |
| it is a grave security error to omit checking for a failure return from |
| .BR setuid (). |
| .SH ERRORS |
| .TP |
| .B EAGAIN |
| The call would change the caller's real UID (i.e., |
| .I uid |
| does not match the caller's real UID), |
| but there was a temporary failure allocating the |
| necessary kernel data structures. |
| .TP |
| .B EAGAIN |
| .I uid |
| does not match the real user ID of the caller and this call would |
| bring the number of processes belonging to the real user ID |
| .I uid |
| over the caller's |
| .B RLIMIT_NPROC |
| resource limit. |
| Since Linux 3.1, this error case no longer occurs |
| (but robust applications should check for this error); |
| see the description of |
| .B EAGAIN |
| in |
| .BR execve (2). |
| .TP |
| .B EINVAL |
| The user ID specified in |
| .I uid |
| is not valid in this user namespace. |
| .TP |
| .B EPERM |
| The user is not privileged (Linux: does not have the |
| .B CAP_SETUID |
| capability) and |
| .I uid |
| does not match the real UID or saved set-user-ID of the calling process. |
| .SH CONFORMING TO |
| POSIX.1-2001, POSIX.1-2008, SVr4. |
| Not quite compatible with the 4.4BSD call, which |
| sets all of the real, saved, and effective user IDs. |
| .\" SVr4 documents an additional EINVAL error condition. |
| .SH NOTES |
| Linux has the concept of the filesystem user ID, normally equal to the |
| effective user ID. |
| The |
| .BR setuid () |
| call also sets the filesystem user ID of the calling process. |
| See |
| .BR setfsuid (2). |
| .PP |
| If |
| .I uid |
| is different from the old effective UID, the process will |
| be forbidden from leaving core dumps. |
| .PP |
| The original Linux |
| .BR setuid () |
| system call supported only 16-bit user IDs. |
| Subsequently, Linux 2.4 added |
| .BR setuid32 () |
| supporting 32-bit IDs. |
| The glibc |
| .BR setuid () |
| wrapper function transparently deals with the variation across kernel versions. |
| .\" |
| .SS C library/kernel differences |
| At the kernel level, user IDs and group IDs are a per-thread attribute. |
| However, POSIX requires that all threads in a process |
| share the same credentials. |
| The NPTL threading implementation handles the POSIX requirements by |
| providing wrapper functions for |
| the various system calls that change process UIDs and GIDs. |
| These wrapper functions (including the one for |
| .BR setuid ()) |
| employ a signal-based technique to ensure |
| that when one thread changes credentials, |
| all of the other threads in the process also change their credentials. |
| For details, see |
| .BR nptl (7). |
| .SH SEE ALSO |
| .BR getuid (2), |
| .BR seteuid (2), |
| .BR setfsuid (2), |
| .BR setreuid (2), |
| .BR capabilities (7), |
| .BR credentials (7), |
| .BR user_namespaces (7) |