1SETUID(P)                  POSIX Programmer's Manual                 SETUID(P)
2
3
4

NAME

6       setuid - set user ID
7

SYNOPSIS

9       #include <unistd.h>
10
11       int setuid(uid_t uid);
12
13

DESCRIPTION

15       If  the process has appropriate privileges, setuid() shall set the real
16       user ID, effective user ID, and the saved set-user-ID  of  the  calling
17       process to uid.
18
19       If  the  process does not have appropriate privileges, but uid is equal
20       to the real user ID or the saved set-user-ID, setuid()  shall  set  the
21       effective  user ID to uid; the real user ID and saved set-user-ID shall
22       remain unchanged.
23
24       The setuid() function shall not affect the supplementary group list  in
25       any way.
26

RETURN VALUE

28       Upon successful completion, 0 shall be returned. Otherwise, -1 shall be
29       returned and errno set to indicate the error.
30

ERRORS

32       The setuid() function shall fail, return -1, and set errno to the  cor‐
33       responding value if one or more of the following are true:
34
35       EINVAL The  value  of  the uid argument is invalid and not supported by
36              the implementation.
37
38       EPERM  The process does not have appropriate privileges  and  uid  does
39              not match the real user ID or the saved set-user-ID.
40
41
42       The following sections are informative.
43

EXAMPLES

45       None.
46

APPLICATION USAGE

48       None.
49

RATIONALE

51       The  various  behaviors  of  the  setuid()  and setgid() functions when
52       called by non-privileged processes reflect the  behavior  of  different
53       historical implementations. For portability, it is recommended that new
54       non-privileged applications use the seteuid() and  setegid()  functions
55       instead.
56
57       The  saved set-user-ID capability allows a program to regain the effec‐
58       tive user ID established at the last exec call.  Similarly,  the  saved
59       set-group-ID  capability allows a program to regain the effective group
60       ID established at the last exec call. These  capabilities  are  derived
61       from  System  V. Without them, a program might have to run as superuser
62       in order to perform the same functions, because superuser can write  on
63       the user's files. This is a problem because such a program can write on
64       any user's files, and so must be carefully written to emulate the  per‐
65       missions  of the calling process properly. In System V, these capabili‐
66       ties have traditionally been implemented only via the setuid() and set‐
67       gid()  functions for non-privileged processes. The fact that the behav‐
68       ior of those functions was different for privileged processes made them
69       difficult  to use. The POSIX.1-1990 standard defined the setuid() func‐
70       tion to behave differently for privileged and unprivileged users.  When
71       the  caller had the appropriate privilege, the function set the calling
72       process' real user ID, effective user ID,  and  saved  set-user  ID  on
73       implementations  that  supported  it.  When the caller did not have the
74       appropriate privilege, the function set only  the  effective  user  ID,
75       subject  to  permission  checks. The former use is generally needed for
76       utilities like login and su, which are not conforming applications  and
77       thus  outside  the scope of IEEE Std 1003.1-2001.  These utilities wish
78       to change the user ID irrevocably to a new value, generally that of  an
79       unprivileged  user.   The  latter use is needed for conforming applica‐
80       tions that are installed with the set-user-ID bit and need  to  perform
81       operations using the real user ID.
82
83       IEEE Std 1003.1-2001 augments the latter functionality with a mandatory
84       feature named _POSIX_SAVED_IDS.  This  feature  permits  a  set-user-ID
85       application  to switch its effective user ID back and forth between the
86       values of its exec-time real user ID and effective  user  ID.  Unfortu‐
87       nately,  the POSIX.1-1990 standard did not permit a conforming applica‐
88       tion using this feature to work properly when it happened  to  be  exe‐
89       cuted with the (implementation-defined) appropriate privilege. Further‐
90       more, the application did not even have a means to tell whether it  had
91       this  privilege. Since the saved set-user-ID feature is quite desirable
92       for applications, as evidenced by the fact that  NIST  required  it  in
93       FIPS  151-2,  it  has  been  mandated by IEEE Std 1003.1-2001. However,
94       there are implementors who have been reluctant to support it given  the
95       limitation described above.
96
97       The 4.3BSD system handles the problem by supporting separate functions:
98       setuid() (which always sets both the real and effective user IDs,  like
99       setuid()  in  IEEE Std 1003.1-2001 for privileged users), and seteuid()
100       (which always sets  just  the  effective  user  ID,  like  setuid()  in
101       IEEE Std 1003.1-2001  for  non-privileged  users).  This  separation of
102       functionality into distinct functions seems desirable.  4.3BSD does not
103       support  the saved set-user-ID feature. It supports similar functional‐
104       ity of switching the effective user ID back and forth  via  setreuid(),
105       which  permits  reversing  the real and effective user IDs.  This model
106       seems less desirable than the saved set-user-ID because the  real  user
107       ID  changes  as a side effect. The current 4.4BSD includes saved effec‐
108       tive IDs and uses them for seteuid() and setegid() as described  above.
109       The setreuid() and setregid() functions will be deprecated or removed.
110
111       The solution here is:
112
113        * Require  that  all  implementations support the functionality of the
114          saved set-user-ID, which is set by the exec functions and by  privi‐
115          leged calls to setuid().
116
117        * Add  the  seteuid() and setegid() functions as portable alternatives
118          to setuid() and setgid()  for  non-privileged  and  privileged  pro‐
119          cesses.
120
121       Historical  systems  have  provided  two  mechanisms  for a set-user-ID
122       process to change its effective user ID to be the same as its real user
123       ID  in  such  a way that it could return to the original effective user
124       ID: the use of the setuid() function in the presence of  a  saved  set-
125       user-ID,  or  the use of the BSD setreuid() function, which was able to
126       swap  the  real  and  effective  user  IDs.  The  changes  included  in
127       IEEE Std 1003.1-2001  provide  a  new mechanism using seteuid() in con‐
128       junction with a saved set-user-ID. Thus, all implementations  with  the
129       new seteuid() mechanism will have a saved set-user-ID for each process,
130       and most of  the  behavior  controlled  by  _POSIX_SAVED_IDS  has  been
131       changed to agree with the case where the option was defined. The kill()
132       function is an exception. Implementors of the new  seteuid()  mechanism
133       will  generally  be  required  to maintain compatibility with the older
134       mechanisms previously supported by their systems. However,  compatibil‐
135       ity  with this use of setreuid() and with the _POSIX_SAVED_IDS behavior
136       of kill() is unfortunately complicated. If  an  implementation  with  a
137       saved  set-user-ID  allows a process to use setreuid() to swap its real
138       and effective user IDs, but were to leave the saved set-user-ID unmodi‐
139       fied,  the  process  would  then have an effective user ID equal to the
140       original real user ID, and both real and  saved  set-user-ID  would  be
141       equal  to  the original effective user ID. In that state, the real user
142       would be unable to kill the process, even though the effective user  ID
143       of the process matches that of the real user, if the kill() behavior of
144       _POSIX_SAVED_IDS was used. This is obviously not acceptable. The alter‐
145       native  choice,  which  is  used  in at least one implementation, is to
146       change the saved set-user-ID to the effective user ID during most calls
147       to  setreuid().  The standard developers considered that alternative to
148       be less correct than the retention of the old  behavior  of  kill()  in
149       such  systems. Current conforming applications shall accommodate either
150       behavior from kill(), and there appears to  be  no  strong  reason  for
151       kill()  to  check  the saved set-user-ID rather than the effective user
152       ID.
153

FUTURE DIRECTIONS

155       None.
156

SEE ALSO

158       exec() , getegid() , geteuid() , getgid()  ,  getuid()  ,  setegid()  ,
159       seteuid()  ,  setgid() , setregid() , setreuid() , the Base Definitions
160       volume of IEEE Std 1003.1-2001, <sys/types.h>, <unistd.h>
161

163       Portions of this text are reprinted and reproduced in  electronic  form
164       from IEEE Std 1003.1, 2003 Edition, Standard for Information Technology
165       -- Portable Operating System Interface (POSIX),  The  Open  Group  Base
166       Specifications  Issue  6,  Copyright  (C) 2001-2003 by the Institute of
167       Electrical and Electronics Engineers, Inc and The Open  Group.  In  the
168       event of any discrepancy between this version and the original IEEE and
169       The Open Group Standard, the original IEEE and The Open Group  Standard
170       is  the  referee document. The original Standard can be obtained online
171       at http://www.opengroup.org/unix/online.html .
172
173
174
175IEEE/The Open Group                  2003                            SETUID(P)
Impressum