NAME
setuid - set user ID
SYNOPSIS
#include <unistd.h>
int setuid(uid_t uid);
DESCRIPTION
If the process has appropriate privileges, setuid() shall set the real
user ID, effective user ID, and the saved set-user-ID of the calling
process to uid.
If the process does not have appropriate privileges, but uid is equal
to the real user ID or the saved set-user-ID, setuid() shall set the
effective user ID to uid; the real user ID and saved set-user-ID shall
remain unchanged.
The setuid() function shall not affect the supplementary group list in
any way.
RETURN VALUE
Upon successful completion, 0 shall be returned. Otherwise, -1 shall be
returned and errno set to indicate the error.
ERRORS
The setuid() function shall fail, return -1, and set errno to the
corresponding value if one or more of the following are true:
EINVAL The value of the uid argument is invalid and not supported by
the implementation.
EPERM The process does not have appropriate privileges and uid does
not match the real user ID or the saved set-user-ID.
The following sections are informative.
EXAMPLES
None.
APPLICATION USAGE
None.
RATIONALE
The various behaviors of the setuid() and setgid() functions when
called by non-privileged processes reflect the behavior of different
historical implementations. For portability, it is recommended that new
non-privileged applications use the seteuid() and setegid() functions
instead.
The saved set-user-ID capability allows a program to regain the
effective user ID established at the last exec call. Similarly, the
saved set-group-ID capability allows a program to regain the effective
group ID established at the last exec call. These capabilities are
derived from System V. Without them, a program might have to run as
superuser in order to perform the same functions, because superuser can
write on the user’s files. This is a problem because such a program can
write on any user’s files, and so must be carefully written to emulate
the permissions of the calling process properly. In System V, these
capabilities have traditionally been implemented only via the setuid()
and setgid() functions for non-privileged processes. The fact that the
behavior of those functions was different for privileged processes made
them difficult to use. The POSIX.1-1990 standard defined the setuid()
function to behave differently for privileged and unprivileged users.
When the caller had the appropriate privilege, the function set the
calling process’ real user ID, effective user ID, and saved set-user ID
on implementations that supported it. When the caller did not have the
appropriate privilege, the function set only the effective user ID,
subject to permission checks. The former use is generally needed for
utilities like login and su, which are not conforming applications and
thus outside the scope of IEEE Std 1003.1-2001. These utilities wish
to change the user ID irrevocably to a new value, generally that of an
unprivileged user. The latter use is needed for conforming
applications that are installed with the set-user-ID bit and need to
perform operations using the real user ID.
IEEE Std 1003.1-2001 augments the latter functionality with a mandatory
feature named _POSIX_SAVED_IDS. This feature permits a set-user-ID
application to switch its effective user ID back and forth between the
values of its exec-time real user ID and effective user ID.
Unfortunately, the POSIX.1-1990 standard did not permit a conforming
application using this feature to work properly when it happened to be
executed with the (implementation-defined) appropriate privilege.
Furthermore, the application did not even have a means to tell whether
it had this privilege. Since the saved set-user-ID feature is quite
desirable for applications, as evidenced by the fact that NIST required
it in FIPS 151-2, it has been mandated by IEEE Std 1003.1-2001.
However, there are implementors who have been reluctant to support it
given the limitation described above.
The 4.3BSD system handles the problem by supporting separate functions:
setuid() (which always sets both the real and effective user IDs, like
setuid() in IEEE Std 1003.1-2001 for privileged users), and seteuid()
(which always sets just the effective user ID, like setuid() in
IEEE Std 1003.1-2001 for non-privileged users). This separation of
functionality into distinct functions seems desirable. 4.3BSD does not
support the saved set-user-ID feature. It supports similar
functionality of switching the effective user ID back and forth via
setreuid(), which permits reversing the real and effective user IDs.
This model seems less desirable than the saved set-user-ID because the
real user ID changes as a side effect. The current 4.4BSD includes
saved effective IDs and uses them for seteuid() and setegid() as
described above. The setreuid() and setregid() functions will be
deprecated or removed.
The solution here is:
* Require that all implementations support the functionality of the
saved set-user-ID, which is set by the exec functions and by
privileged calls to setuid().
* Add the seteuid() and setegid() functions as portable alternatives
to setuid() and setgid() for non-privileged and privileged
processes.
Historical systems have provided two mechanisms for a set-user-ID
process to change its effective user ID to be the same as its real user
ID in such a way that it could return to the original effective user
ID: the use of the setuid() function in the presence of a saved set-
user-ID, or the use of the BSD setreuid() function, which was able to
swap the real and effective user IDs. The changes included in
IEEE Std 1003.1-2001 provide a new mechanism using seteuid() in
conjunction with a saved set-user-ID. Thus, all implementations with
the new seteuid() mechanism will have a saved set-user-ID for each
process, and most of the behavior controlled by _POSIX_SAVED_IDS has
been changed to agree with the case where the option was defined. The
kill() function is an exception. Implementors of the new seteuid()
mechanism will generally be required to maintain compatibility with the
older mechanisms previously supported by their systems. However,
compatibility with this use of setreuid() and with the _POSIX_SAVED_IDS
behavior of kill() is unfortunately complicated. If an implementation
with a saved set-user-ID allows a process to use setreuid() to swap its
real and effective user IDs, but were to leave the saved set-user-ID
unmodified, the process would then have an effective user ID equal to
the original real user ID, and both real and saved set-user-ID would be
equal to the original effective user ID. In that state, the real user
would be unable to kill the process, even though the effective user ID
of the process matches that of the real user, if the kill() behavior of
_POSIX_SAVED_IDS was used. This is obviously not acceptable. The
alternative choice, which is used in at least one implementation, is to
change the saved set-user-ID to the effective user ID during most calls
to setreuid(). The standard developers considered that alternative to
be less correct than the retention of the old behavior of kill() in
such systems. Current conforming applications shall accommodate either
behavior from kill(), and there appears to be no strong reason for
kill() to check the saved set-user-ID rather than the effective user
ID.
FUTURE DIRECTIONS
None.
SEE ALSO
exec() , getegid() , geteuid() , getgid() , getuid() , setegid() ,
seteuid() , setgid() , setregid() , setreuid() , the Base Definitions
volume of IEEE Std 1003.1-2001, <sys/types.h>, <unistd.h>
COPYRIGHT
Portions of this text are reprinted and reproduced in electronic form
from IEEE Std 1003.1, 2003 Edition, Standard for Information Technology
-- Portable Operating System Interface (POSIX), The Open Group Base
Specifications Issue 6, Copyright (C) 2001-2003 by the Institute of
Electrical and Electronics Engineers, Inc and The Open Group. In the
event of any discrepancy between this version and the original IEEE and
The Open Group Standard, the original IEEE and The Open Group Standard
is the referee document. The original Standard can be obtained online
at http://www.opengroup.org/unix/online.html .