<<< Previous Home Next >>>
The Open Group Base Specifications Issue 7, 2018 edition
IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008)
Copyright © 2001-2018 IEEE and The Open Group

NAME

setregid - set real and effective group IDs

SYNOPSIS

[XSI] [Option Start] #include <unistd.h>

int setregid(gid_t rgid, gid_t egid); [Option End]

DESCRIPTION

The setregid() function shall set the real and effective group IDs of the calling process.

If rgid is -1, the real group ID shall not be changed; if egid is -1, the effective group ID shall not be changed.

The real and effective group IDs may be set to different values in the same call.

Only a process with appropriate privileges can set the real group ID and the effective group ID to any valid value.

A non-privileged process can set either the real group ID to the saved set-group-ID from one of the exec family of functions, or the effective group ID to the saved set-group-ID or the real group ID.

If the real group ID is being set (rgid is not -1), or the effective group ID is being set to a value not equal to the real group ID, then the saved set-group-ID of the current process shall be set equal to the new effective group ID.

Any supplementary group IDs of the calling process remain unchanged.

RETURN VALUE

Upon successful completion, 0 shall be returned. Otherwise, -1 shall be returned and errno set to indicate the error, and neither of the group IDs are changed.

ERRORS

The setregid() function shall fail if:

[EINVAL]
The value of the rgid or egid argument is invalid or out-of-range.
[EPERM]
The process does not have appropriate privileges and a change other than changing the real group ID to the saved set-group-ID, or changing the effective group ID to the real group ID or the saved set-group-ID, was requested.
The following sections are informative.

EXAMPLES

None.

APPLICATION USAGE

If a non-privileged set-group-ID process sets its effective group ID to its real group ID, it can only set its effective group ID back to the previous value if rgid was -1 in the setregid() call, since the saved-group-ID is not changed in that case. If rgid was equal to the real group ID in the setregid() call, then the saved set-group-ID will also have been changed to the real user ID.

RATIONALE

Earlier versions of this standard did not specify whether the saved set-group-ID was affected by setregid() calls. This version specifies common existing practice that constitutes an important security feature. The ability to set both the effective group ID and saved set-group-ID to be the same as the real group ID means that any security weakness in code that is executed after that point cannot result in malicious code being executed with the previous effective group ID. Privileged applications could already do this using just setgid(), but for non-privileged applications the only standard method available is to use this feature of setregid().

FUTURE DIRECTIONS

None.

SEE ALSO

exec, getegid, geteuid, getgid, getuid, setegid, seteuid, setgid, setreuid, setuid

XBD <unistd.h>

CHANGE HISTORY

First released in Issue 4, Version 2.

Issue 5

Moved from X/OPEN UNIX extension to BASE.

The DESCRIPTION is updated to indicate that the saved set-group-ID can be set by any of the exec family of functions, not just execve().

Issue 7

SD5-XSH-ERN-177 is applied, adding the ability to set both the effective group ID and saved set-group-ID to be the same as the real group ID.

End of informative text.

 

return to top of page
UNIX ® is a registered Trademark of The Open Group.
POSIX ™ is a Trademark of The IEEE.
Copyright © 2001-2018 IEEE and The Open Group, All Rights Reserved
[ Main Index | XBD | XSH | XCU | XRAT ]
<<< Previous Home Next >>>