setuid (BPX1SUI, BPX4SUI) — Set user IDs

Function

The setuid callable service sets the real, effective, and saved set user IDs for the current process.

Requirements

Operation	Environment
Authorization:	Supervisor state or problem state, any PSW key
Dispatchable unit mode:	Task
Cross memory mode:	PASN = HASN
AMODE (BPX1SUI):	31-bit
AMODE (BPX4SUI):	64-bit
ASC mode:	Primary mode
Interrupt status:	Enabled for interrupts
Locks:	Unlocked
Control parameters:	All parameters must be addressable by the caller and in the primary address space.

Format

The syntax format is as follows:

CALL BPX1SUI,(User_ID,
              Return_value,
              Return_code,
              Reason_code)

AMODE 64 callers use BPX4SUI with the same parameters.

Parameters

User_ID

Supplied parameter

Type:: Integer
Length:: Fullword

The name of a fullword that contains the user ID the process is to assume.

Return_value

Returned parameter

Type:: Integer
Length:: Fullword

The name of a fullword in which the setuid service returns 0 if the request is successful, or -1 if it is not successful.

Return_code

Returned parameter

Type:: Integer
Length:: Fullword

The name of a fullword in which the setuid service stores the return code. The setuid service returns Return_code only if Return_value is -1. See z/OS UNIX System Services Messages and Codes for a complete list of possible return code values. The setuid service can return one of the following values in the Return_code parameter:

Return_code	Explanation
EINVAL	The user ID that was specified was incorrect.
EMVSSAF2ERR	The SAF call IRRSSU00 incurred an error.
EPERM	The process does not have the appropriate privileges to set the user ID. Refer to Authorization for information on appropriate privileges.

Reason_code

Returned parameter

Type:: Integer
Length:: Fullword

The name of a fullword in which the setuid service stores the reason code. The setuid service returns Reason_code only if Return_value is -1. Reason_code further qualifies the Return_code value. For the reason codes, see z/OS UNIX System Services Messages and Codes. The reason code for EMVSSAF2ERR contains the RACF® return and reason codes, respectively, in the two low-order bytes. For a more detailed description of the RACF SETUID service return and reason code values, see the following table:

RACF return code	RACF reason code	Explanation
8	4	UID is not defined to RACF
8	8	User not authorized to change UID
8	12	Internal error during RACF processing
8	16	Unable to establish recovery

For a more detailed description of the RACF CKPRIV service return and reason code values, see the following table:

RACF return code	RACF reason code	Explanation
8	4	User is not privileged
8	12	Internal error during RACF processing

Usage notes for setuid

If a UNIX set-user-ID privileged program switches its UID to other than that of the set-user-ID program and it causes the real, effective and saved UID of the caller to be equal, then the set-user-ID privilege of the program is given up.
If User_ID is the same as the real UID of the process or the saved set UID, the setuid service sets the effective UID to be the same as User_ID.
If User_ID is not the same as the real UID of the process, and the calling process has appropriate privileges, the real, effective, and saved set UIDs are set to User_ID. For more information about appropriate privileges, see Authorization.
In z/OS® UNIX, you change the identity of a process by changing the real and effective UIDs and the supplementary groups. In order to change the identity of the process on MVS™, you must also change the MVS security environment. The setuid function calls SAF services to change the MVS identity (user ID) of the address space to the user ID that is associated with the target UID only if the caller is a daemon, or if the target user ID has been properly authenticated. If the caller is a daemon, the following conditions must be met:
- The caller must be a superuser (UID=0).
- If the BPX.DAEMON profile is defined in the FACILITY class, the caller must be permitted to this profile.
- The calling program must be loaded from a controlled library, as defined by the RACF support for program access to data sets (PADS). (For more information, see the steps for setting up enhanced program security in z/OS UNIX System Services Planning.)
If the caller is not a daemon, the target user ID must have been authenticated in one of the following ways:
1. Successful completion of the password service, where the user ID specified is associated with the target UID of the setuid service.
2. If the caller of the setuid service has read access to the BPX.SRV.userid profile in the SURROGATE class, where userid is the user ID that is associated with the target UID, permission is granted to perform the specified operation. See Defining servers to process users without passwords in z/OS UNIX System Services Planning for more information about setting up surrogate profiles.
When the MVS identity is to be changed, the target MVS user ID is determined as follows:
- If an MVS user ID is already known (saved) by the kernel from a previous call to the getpwnam or the password service calls, and the UID created for this user ID matches the UID that is specified on the setuid call, this saved user ID is used.
- For nonzero target UIDs, if there is no known user ID, or if the UID for the known user ID does not match the UID that is requested on the setuid call, the setuid service queries the security database to retrieve the user ID. The retrieved user ID is then used.
- If the target UID is 0 and a user ID is not known, the setuid service sets the MVS user ID to BPXROOT, or to a user ID that is specified as a parmlib option during installation. BPXROOT is set up during system initialization as a superuser with a UID of 0. The BPXROOT user ID is not defined to the BPX.DAEMON profile in the FACILITY class. This special processing is necessary to prevent a superuser from gaining daemon authority.
- When a change is being made from a nonzero UID to a zero UID, the MVS user ID is not changed. When you use the su shell command to become a superuser, your shell retains your original MVS user ID.
The MVS identity is not changed on a successful call to setuid in the following situations:
- When a change is being made from a nonzero UID to a zero UID. When you use the su shell command to become a superuser, your shell retains your original MVS user ID.
- When it is running in a setuid program, and a setuid is done back to the original real UID.
You should be careful when you are constructing the MVS identity associated with a setuid program. These programs effectively allow a subsequently spawned child non-setuid program to set its effective UID and associated MVS identity to the UID and MVS identity of the setuid of the program.
The setuid service is not supported from an address space that is running multiple processes, because it would cause all processes in the address space to have their security environments changed unexpectedly. The call to the setuid service in this environment fails with an EMVSERR return code and a JRMultiProc reason code.
The setuid service is not supported from a TSO address space. The call to the setuid service in this environment fails with an EMVSERR return code and a JRTso reason code.
The setuid service is not supported from a task that is running with a previously obtained task-level security environment. The call to the setuid service in this environment fails with an EMVSERR return code and a JRTaskAcee reason code.
The setuid service is not supported in the following situation: The BPX.DAEMON profile is defined in the FACILITY class and the caller is attempting to change its security environment by changing its MVS user identity, but a load was issued from an uncontrolled data set in the caller's address space. This address space could be corrupted; for this reason, daemon activity is not allowed. The call to the setuid service in this environment fails with an EMVSERR return code and a JREnvDirty reason code.
The setuid service is not supported when running from within a setuid program, because in most cases the MVS identity will not change in this environment.
To attach the security environment of the caller of the setuid service to the security environment of the target UID (which then creates a nested ACEE for the target), use the _BPXK_DAEMON_ATTACH environment variable. The new client can then access RACF delegated resources for which the daemon, but not necessarily the client, has access. (The delegated resources are designated by the APPDATA text of 'RACF-DELEGATED' in the RACF profile protecting the resource.) For more information about nested ACEEs and delegated resources, see z/OS Security Server RACF Security Administrator's Guide.
The _BPXK_SUID_FORK environment variable specifies whether the setuid indicator is propagated to child address spaces created by the fork service. For more information, see Commonly used environment variables in z/OS UNIX System Services Planning.
When the effective UID is changed, the MVS identity is also changed. The original MVS identity (ACEE ) is saved so that the address space can be restored to its original security environment when the process terminates. During process termination, no other tasks in the address space should make any security calls since they cannot depend on the address space security environment and unpredictable results may occur.

Related services

Characteristics and restrictions

If the setuid service is used within a multi-threaded process, use synchronization to ensure that the setuid service is not performed concurrently with other z/OS UNIX services. Unserialized use can yield unpredictable results.

Examples

See BPX1SUI (setuid) example.