This section describes the functions for altering the group IDs (real and effective) of a process. To use these facilities, you must include the header files `sys/types.h' and `unistd.h'.
seteuid
, if the process is privileged it may
change its effective group ID to any value; if it isn't, but it has a
file group ID, then it may change to its real group ID or file group ID;
otherwise it may not change its effective group ID.
Note that a process is only privileged if its effective user ID is zero. The effective group ID only affects access permissions.
The return values and error conditions for setegid
are the same
as those for seteuid
.
This function is only present if _POSIX_SAVED_IDS
is defined.
If the process is not privileged, then setgid
behaves like
setegid
.
The return values and error conditions for setgid
are the same
as those for seteuid
.
-1
, it
means not to change the real group ID; likewise if egid is
-1
, it means not to change the effective group ID.
The setregid
function is provided for compatibility with 4.3 BSD
Unix, which does not support file IDs. You can use this function to
swap the effective and real group IDs of the process. (Privileged
processes are not limited to this usage.) If file IDs are supported,
you should use that feature instead of using this function.
See section Enabling and Disabling Setuid Access.
The return values and error conditions for setregid
are the same
as those for setreuid
.
setuid
and setgid
behave differently depending on whether
the effective user ID at the time is zero. If it is not zero, they
behave like seteuid
and setegid
. If it is, they change
both effective and real IDs and delete the file ID. To avoid confusion,
we recommend you always use seteuid
and setegid
except
when you know the effective user ID is zero and your intent is to change
the persona permanently. This case is rare--most of the programs that
need it, such as login
and su
, have already been written.
Note that if your program is setuid to some user other than root
,
there is no way to drop privileges permanently.
The system also lets privileged processes change their supplementary
group IDs. To use setgroups
or initgroups
, your programs
should include the header file `grp.h'.
This function returns 0
if successful and -1
on error.
The following errno
error conditions are defined for this
function:
EPERM
initgroups
function sets the process's supplementary group
IDs to be the normal default for the user name user. If gid
is not -1, it includes that group also.
This function works by scanning the group database for all the groups
user belongs to. It then calls setgroups
with the list it
has constructed.
The return values and error conditions are the same as for
setgroups
.
Go to the first, previous, next, last section, table of contents.