ucred(9)
NAME
- ucred, crget, crhold, crfree, crshared, crcopy, crdup,
- cru2x,
cred_update_thread - functions related to user credentials
SYNOPSIS
#include <sys/param.h>
#include <sys/ucred.h>
struct ucred *
crget(void);
struct ucred *
crhold(struct ucred *cr);
void
crfree(struct ucred *cr);
int
crshared(struct ucred *cr);
void
crcopy(struct ucred *dest, struct ucred *src);
struct ucred *
crdup(struct ucred *cr);
void
cru2x(struct ucred *cr, struct xucred *xcr);
void
cred_update_thread(struct thread *td);
DESCRIPTION
- The ucred family of functions is used to manage user creden
- tial structures (struct ucred) within the kernel.
- The crget() function allocates memory for a new structure,
- sets its reference count to 1, and initializes its lock.
- The crhold() function increases the reference count on the
- credential.
- The crfree() function decreases the reference count on the
- credential.
If the count drops to 0, the storage for the structure is
- freed.
- The crshared() function returns true if the credential is
- shared. A credential is considered to be shared if its reference count is
- greater than
one.
- The crcopy() function copies the contents of the source
- (template) credential into the destination template. The uidinfo struc
- ture within the
destination is referenced by calling uihold(9).
- The crdup() function allocates memory for a new structure
- and copies the
contents of cr into it. The actual copying is performed by
- crcopy().
- The cru2x() function converts a ucred structure to an xucred
- structure.
That is, it copies data from cr to xcr; it ignores fields in
- the former
that are not present in the latter (e.g., cr_uidinfo), and
- appropriately
sets fields in the latter that are not present in the former
- (e.g.,
cr_version).
- The cred_update_thread() function sets the credentials of td
- to that of
its process, freeing its old credential if required.
RETURN VALUES
- crget(), crhold() and crdup() all return a pointer to a
- ucred structure.
- crshared() returns 0 if the credential has a reference count
- greater than
1; otherwise, 1 is returned.
USAGE NOTES
- As of FreeBSD 5.0, the ucred structure contains extensible
- fields. This
means that the correct protocol must always be followed to
- create a fresh
and writable credential structure: new credentials must al
- ways be derived
from existing credentials using crget() and crcopy().
- In the common case, credentials required for access control
- decisions are
used in a read-only manner. In these circumstances, the
- thread credential td_ucred should be used, as it requires no locking to
- access safely,
and remains stable for the duration of the call even in the
- face of a
multi-threaded application changing the process credentials
- from another
thread. Primitives such as suser(9) will assume the use of
- td_ucred
unless explicitly specified using suser_cred(9).
- During a process credential update, the process lock must be
- held across
check and update, to prevent race conditions. The process
- credential,
td->td_proc->p_ucred, must be used both for check and up
- date. If a process credential is updated during a system call and checks
- against the
thread credential are to be made later during the same sys
- tem call, the
thread credential must also be refreshed from the process
- credential so
as to prevent use of a stale value. To avoid this scenario,
- it is recommended that system calls updating the process credential be
- designed to
avoid other authorization functions.
- If temporarily elevated privileges are required for a
- thread, the thread
credential can by replaced for the duration of an activity,
- or for the
remainder of the system call. However, as a thread creden
- tial is often
shared, appropriate care should be taken to make sure modi
- fications are
made to a writable credential through the use of crget() and
- crcopy().
- Caution should be exercised when checking authorization for
- a thread or
process perform an operation on another thread or process.
- As a result
of temporary elevation, the target thread credential should
- never be used
as the target credential in an access control decision: the
- process credential associated with the thread, td->td_proc->p_ucred,
- should be used
instead. For example, p_candebug(9) accepts a target pro
- cess, not a target thread, for access control purposes.
SEE ALSO
uihold(9)
AUTHORS
- This manual page was written by Chad David <davidc@ac
- ns.ab.ca>.
- BSD March 3, 2002