1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
.\" Copyright (C) 2001 Andries Brouwer (aeb@cwi.nl)
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.\" [should really be seteuid.3]
.\" Modified, 27 May 2004, Michael Kerrisk <mtk.manpages@gmail.com>
.\" Added notes on capability requirements
.\"
.TH seteuid 2 2024-05-02 "Linux man-pages (unreleased)"
.SH NAME
seteuid, setegid \- set effective user or group ID
.SH LIBRARY
Standard C library
.RI ( libc ", " \-lc )
.SH SYNOPSIS
.nf
.B #include <unistd.h>
.P
.BI "int seteuid(uid_t " euid );
.BI "int setegid(gid_t " egid );
.fi
.P
.RS -4
Feature Test Macro Requirements for glibc (see
.BR feature_test_macros (7)):
.RE
.P
.BR seteuid (),
.BR setegid ():
.nf
_POSIX_C_SOURCE >= 200112L
|| /* glibc <= 2.19: */ _BSD_SOURCE
.fi
.SH DESCRIPTION
.BR seteuid ()
sets the effective user ID of the calling process.
Unprivileged processes may only set the effective user ID to the
real user ID, the effective user ID or the saved set-user-ID.
.P
Precisely the same holds for
.BR setegid ()
with "group" instead of "user".
.\" When
.\" .I euid
.\" equals \-1, nothing is changed.
.\" (This is an artifact of the implementation in glibc of seteuid()
.\" using setresuid(2).)
.SH RETURN VALUE
On success, zero is returned.
On error, \-1 is returned, and
.I errno
is set to indicate the error.
.P
.IR Note :
there are cases where
.BR seteuid ()
can fail even when the caller is UID 0;
it is a grave security error to omit checking for a failure return from
.BR seteuid ().
.SH ERRORS
.TP
.B EINVAL
The target user or group ID is not valid in this user namespace.
.TP
.B EPERM
In the case of
.BR seteuid ():
the calling process is not privileged (does not have the
.B CAP_SETUID
capability in its user namespace) and
.I euid
does not match the current real user ID, current effective user ID,
or current saved set-user-ID.
.IP
In the case of
.BR setegid ():
the calling process is not privileged (does not have the
.B CAP_SETGID
capability in its user namespace) and
.I egid
does not match the current real group ID, current effective group ID,
or current saved set-group-ID.
.SH VERSIONS
Setting the effective user (group) ID to the
saved set-user-ID (saved set-group-ID) is
possible since Linux 1.1.37 (1.1.38).
On an arbitrary system one should check
.BR _POSIX_SAVED_IDS .
.P
Under glibc 2.0,
.BI seteuid( euid )
is equivalent to
.BI setreuid(\-1, " euid" )
and hence may change the saved set-user-ID.
Under glibc 2.1 and later, it is equivalent to
.BI setresuid(\-1, " euid" ", \-1)"
and hence does not change the saved set-user-ID.
Analogous remarks hold for
.BR setegid (),
with the difference that the change in implementation from
.BI setregid(\-1, " egid" )
to
.BI setresgid(\-1, " egid" ", \-1)"
occurred in glibc 2.2 or 2.3 (depending on the hardware architecture).
.P
According to POSIX.1,
.BR seteuid ()
.RB ( setegid ())
need not permit
.I euid
.RI ( egid )
to be the same value as the current effective user (group) ID,
and some implementations do not permit this.
.SS C library/kernel differences
On Linux,
.BR seteuid ()
and
.BR setegid ()
are implemented as library functions that call, respectively,
.BR setresuid (2)
and
.BR setresgid (2).
.SH STANDARDS
POSIX.1-2008.
.SH HISTORY
POSIX.1-2001, 4.3BSD.
.SH SEE ALSO
.BR geteuid (2),
.BR setresuid (2),
.BR setreuid (2),
.BR setuid (2),
.BR capabilities (7),
.BR credentials (7),
.BR user_namespaces (7)
|
