1SETFSUID(2)                Linux Programmer's Manual               SETFSUID(2)
2
3
4

NAME

6       setfsuid - set user identity used for filesystem checks
7

SYNOPSIS

9       #include <sys/fsuid.h>
10
11       int setfsuid(uid_t fsuid);
12

DESCRIPTION

14       The system call setfsuid() changes the value of the caller's filesystem
15       user ID—the user ID that  the  Linux  kernel  uses  to  check  for  all
16       accesses to the filesystem.  Normally, the value of the filesystem user
17       ID will shadow the value of the effective user ID.  In  fact,  whenever
18       the  effective  user ID is changed, the filesystem user ID will also be
19       changed to the new value of the effective user ID.
20
21       Explicit calls to setfsuid() and setfsgid(2) are usually used  only  by
22       programs such as the Linux NFS server that need to change what user and
23       group ID is used for file access without a corresponding change in  the
24       real and effective user and group IDs.  A change in the normal user IDs
25       for a program such as the NFS server is a security hole that can expose
26       it to unwanted signals.  (But see below.)
27
28       setfsuid() will succeed only if the caller is the superuser or if fsuid
29       matches either the caller's real user ID, effective user ID, saved set-
30       user-ID, or current filesystem user ID.
31

RETURN VALUE

33       On  both success and failure, this call returns the previous filesystem
34       user ID of the caller.
35

VERSIONS

37       This system call is present in Linux since version 1.2.
38

CONFORMING TO

40       setfsuid() is  Linux-specific  and  should  not  be  used  in  programs
41       intended to be portable.
42

NOTES

44       At  the  time  when  this system call was introduced, one process could
45       send a signal to another process with the same effective user ID.  This
46       meant  that  if  a privileged process changed its effective user ID for
47       the purpose of file permission checking, then it could become  vulnera‐
48       ble  to  receiving  signals sent by another (unprivileged) process with
49       the same user ID.  The filesystem user ID attribute was thus  added  to
50       allow  a process to change its user ID for the purposes of file permis‐
51       sion checking without at the same time becoming vulnerable to receiving
52       unwanted  signals.  Since Linux 2.0, signal permission handling is dif‐
53       ferent (see kill(2)), with the result that a process change can  change
54       its  effective  user  ID  without being vulnerable to receiving signals
55       from unwanted processes.  Thus, setfsuid()  is  nowadays  unneeded  and
56       should be avoided in new applications (likewise for setfsgid(2)).
57
58       The  original  Linux  setfsuid() system call supported only 16-bit user
59       IDs.  Subsequently, Linux 2.4 added setfsuid32() supporting 32-bit IDs.
60       The  glibc  setfsuid()  wrapper  function  transparently deals with the
61       variation across kernel versions.
62
63   C library/kernel differences
64       In glibc 2.15 and earlier, when the wrapper for this system call deter‐
65       mines  that  the argument can't be passed to the kernel without integer
66       truncation (because the kernel is old and does not support 32-bit  user
67       IDs),  they  will  return -1 and set errno to EINVAL without attempting
68       the system call.
69

BUGS

71       No error indications of any kind are returned to the  caller,  and  the
72       fact  that both successful and unsuccessful calls return the same value
73       makes it impossible to directly determine whether the call succeeded or
74       failed.  Instead, the caller must resort to looking at the return value
75       from a further call such as setfsuid(-1) (which will always  fail),  in
76       order  to  determine  if  a  preceding  call  to setfsuid() changed the
77       filesystem user ID.  At the very least, EPERM should be  returned  when
78       the call fails (because the caller lacks the CAP_SETUID capability).
79

SEE ALSO

81       kill(2), setfsgid(2), capabilities(7), credentials(7)
82

COLOPHON

84       This  page  is  part of release 4.16 of the Linux man-pages project.  A
85       description of the project, information about reporting bugs,  and  the
86       latest     version     of     this    page,    can    be    found    at
87       https://www.kernel.org/doc/man-pages/.
88
89
90
91Linux                             2017-09-15                       SETFSUID(2)
Impressum