Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
UCRED(9)	       FreeBSD Kernel Developer's Manual	      UCRED(9)

     ucred, crget, crhold, crfree, crcopy, crdup, cru2x	-- functions related
     to	user credentials

     #include <sys/param.h>
     #include <sys/ucred.h>

     struct ucred *

     struct ucred *
     crhold(struct ucred *cr);

     crfree(struct ucred *cr);

     crcopy(struct ucred *dest,	struct ucred *src);

     struct ucred *
     crcopysafe(struct proc *p,	struct ucred *cr);

     struct ucred *
     crdup(struct ucred	*cr);

     crsetgroups(struct	ucred *cr, int ngrp, gid_t *groups);

     cru2x(struct ucred	*cr, struct xucred *xcr);

     The ucred family of functions is used to manage user credential struc-
     tures (struct ucred) within the kernel.

     The crget() function allocates memory for a new structure,	sets its ref-
     erence count to 1,	and initializes	its lock.

     The crhold() function increases the reference count on the	credential.

     The crfree() function decreases the reference count on the	credential.
     If	the count drops	to 0, the storage for the structure is freed.

     The crcopy() function copies the contents of the source (template)	cre-
     dential into the destination template.  The uidinfo structure within the
     destination is referenced by calling uihold(9).

     The crcopysafe() function copies the current credential associated	with
     the process p into	the newly allocated credential cr.  The	process	lock
     on	p must be held and will	be dropped and reacquired as needed to allo-
     cate group	storage	space in cr.

     The crdup() function allocates memory for a new structure and copies the
     contents of cr into it.  The actual copying is performed by crcopy().

     The crsetgroups() function	sets the cr_groups and cr_ngroups variables
     and allocates space as needed.  It	also truncates the group list to the
     current maximum number of groups.	No other mechanism should be used to
     modify the	cr_groups array	except for updating the	primary	group via as-
     signment to cr_groups[0].

     The cru2x() function converts a ucred structure to	an xucred structure.
     That is, it copies	data from cr to	xcr; it	ignores	fields in the former
     that are not present in the latter	(e.g., cr_uidinfo), and	appropriately
     sets fields in the	latter that are	not present in the former (e.g.,

     crget(), crhold(),	crdup(), and crcopysafe() all return a pointer to a
     ucred structure.

     As	of FreeBSD 5.0,	the ucred structure contains extensible	fields.	 This
     means that	the correct protocol must always be followed to	create a fresh
     and writable credential structure:	new credentials	must always be derived
     from existing credentials using crget(), crcopy(),	and crcopysafe().

     In	the common case, credentials required for access control decisions are
     used in a read-only manner.  In these circumstances, the thread creden-
     tial td_ucred should be used, as it requires no locking to	access safely,
     and remains stable	for the	duration of the	call even in the face of a
     multi-threaded application	changing the process credentials from another

     During a process credential update, the process lock must be held across
     check and update, to prevent race conditions.  The	process	credential,
     td-_td_proc-_p_ucred, must	be used	both for check and update.  If a
     process credential	is updated during a system call	and checks against the
     thread credential are to be made later during the same system call, the
     thread credential must also be refreshed from the process credential so
     as	to prevent use of a stale value.  To avoid this	scenario, it is	recom-
     mended that system	calls updating the process credential be designed to
     avoid other authorization functions.

     If	temporarily elevated privileges	are required for a thread, the thread
     credential	can be replaced	for the	duration of an activity, or for	the
     remainder of the system call.  However, as	a thread credential is often
     shared, appropriate care should be	taken to make sure modifications are
     made to a writable	credential through the use of crget() and crcopy().

     Caution should be exercised when checking authorization for a thread or
     process perform an	operation on another thread or process.	 As a result
     of	temporary elevation, the target	thread credential should never be used
     as	the target credential in an access control decision: the process cre-
     dential associated	with the thread, td-_td_proc-_p_ucred, should be used
     instead.  For example, p_candebug(9) accepts a target process, not	a tar-
     get thread, for access control purposes.


     This manual page was written by Chad David	<>.

FreeBSD	13.0		       January 23, 2019			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help