2 .\" Copyright (C) 2001 Chad David <davidc@acns.ab.ca>. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice(s), this list of conditions and the following disclaimer as
9 .\" the first lines of this file unmodified other than the possible
10 .\" addition of one or more copyright notices.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice(s), this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY
16 .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17 .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 .\" DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY
19 .\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20 .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 .\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22 .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
41 .Nm cred_update_thread
42 .Nd "functions related to user credentials"
49 .Fn crhold "struct ucred *cr"
51 .Fn crfree "struct ucred *cr"
53 .Fn crshared "struct ucred *cr"
55 .Fn crcopy "struct ucred *dest" "struct ucred *src"
57 .Fn crcopysafe "struct proc *p" "struct ucred *cr"
59 .Fn crdup "struct ucred *cr"
61 .Fn crsetgroups "struct ucred *cr" "int ngrp" "gid_t *groups"
63 .Fn cru2x "struct ucred *cr" "struct xucred *xcr"
65 .Fn cred_update_thread "struct thread *td"
69 family of functions is used to manage user credential structures
75 function allocates memory
76 for a new structure, sets its reference count to 1, and
81 function increases the reference count on the credential.
85 function decreases the reference count on the credential.
86 If the count drops to 0, the storage for the structure is freed.
90 function returns true if the credential is shared.
91 A credential is considered to be shared if its reference
92 count is greater than one.
96 function copies the contents of the source (template)
97 credential into the destination template.
100 structure within the destination is referenced
106 function copies the current credential associated with the process
108 into the newly allocated credential
112 must be held and will be dropped and reacquired as needed to allocate
113 group storage space in
118 function allocates memory for a new structure and copies the
122 The actual copying is performed by
131 variables and allocates space as needed.
132 It also truncates the group list to the current maximum number of
134 No other mechanism should be used to modify the
136 array except for updating the primary group via assignment to
151 it ignores fields in the former that are not present in the latter
154 and appropriately sets fields in the latter that are not present in
160 .Fn cred_update_thread
161 function sets the credentials of
163 to that of its process, freeing its old credential if required.
170 all return a pointer to a
175 returns 0 if the credential has a reference count greater than 1;
176 otherwise, 1 is returned.
182 structure contains extensible fields.
183 This means that the correct protocol must always be followed to create
184 a fresh and writable credential structure: new credentials must always
185 be derived from existing credentials using
191 In the common case, credentials required for access control decisions are
192 used in a read-only manner.
193 In these circumstances, the thread credential
195 should be used, as it requires no locking to access safely, and remains stable
196 for the duration of the call even in the face of a multi-threaded
197 application changing the process credentials from another thread.
199 During a process credential update, the process lock must be held across
200 check and update, to prevent race conditions.
201 The process credential,
202 .Va td->td_proc->p_ucred ,
203 must be used both for check and update.
204 If a process credential is updated during a system call and checks against
205 the thread credential are to be made later during the same system call,
206 the thread credential must also be refreshed from the process credential
207 so as to prevent use of a stale value.
208 To avoid this scenario, it is recommended that system calls updating the
209 process credential be designed to avoid other authorization functions.
211 If temporarily elevated privileges are required for a thread, the thread
212 credential can by replaced for the duration of an activity, or for
213 the remainder of the system call.
214 However, as a thread credential is often shared, appropriate care should be
215 taken to make sure modifications are made to a writable credential
221 Caution should be exercised when checking authorization for a thread or
222 process perform an operation on another thread or process.
223 As a result of temporary elevation, the target thread credential should
225 be used as the target credential in an access control decision: the process
226 credential associated with the thread,
227 .Va td->td_proc->p_ucred ,
228 should be used instead.
231 accepts a target process, not a target thread, for access control purposes.
235 This manual page was written by
236 .An Chad David Aq davidc@acns.ab.ca .