1 .\" Copyright (c) 2007 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" Permission is granted to make and distribute verbatim copies of this
4 .\" manual provided the copyright notice and this permission notice are
5 .\" preserved on all copies.
7 .\" Permission is granted to copy and distribute modified versions of this
8 .\" manual under the conditions for verbatim copying, provided that the
9 .\" entire resulting derived work is distributed under the terms of a
10 .\" permission notice identical to this one.
12 .\" Since the Linux kernel and libraries are constantly changing, this
13 .\" manual page may be incorrect or out-of-date. The author(s) assume no
14 .\" responsibility for errors or omissions, or for damages resulting from
15 .\" the use of the information contained herein. The author(s) may not
16 .\" have taken the same level of care in the production of this manual,
17 .\" which is licensed free of charge, as they might when working
20 .\" Formatted or processed versions of this manual, if unaccompanied by
21 .\" the source, must acknowledge the copyright and authors of this work.
23 .\" 2007-06-13 Creation
25 .TH CREDENTIALS 7 2008-06-03 "Linux" "Linux Programmer's Manual"
27 credentials \- process identifiers
30 Each process has a unique nonnegative integer identifier
31 that is assigned when the process is created using
33 A process can obtain its PID using
35 A PID is represented using the type
40 PIDs are used in a range of system calls to identify the process
41 affected by the call, for example:
45 .\" .BR sched_rr_get_interval (2),
46 .\" .BR sched_getaffinity (2),
47 .\" .BR sched_setaffinity (2),
48 .\" .BR sched_getparam (2),
49 .\" .BR sched_setparam (2),
50 .\" .BR sched_setscheduler (2),
51 .\" .BR sched_getscheduler (2),
61 A process's PID is preserved across an
63 .SS Parent Process ID (PPID)
64 A process's parent process ID identifies the process that created
67 A process can obtain its PPID using
69 A PPID is represented using the type
72 A process's PPID is preserved across an
74 .SS Process Group ID and Session ID
75 Each process has a session ID and a process group ID,
76 both represented using the type
78 A process can obtain its session ID using
80 and its process group ID using
85 inherits its parent's session ID and process group ID.
86 A process's session ID and process group ID are preserved across an
89 Sessions and process groups are abstractions devised to support shell
91 A process group (sometimes called a "job") is a collection of
92 processes that share the same process group ID;
93 the shell creates a new process group for the process(es) used
94 to execute single command or pipeline (e.g., the two processes
95 created to execute the command "ls\ |\ wc" are placed in the
97 A process's group membership can be set using
99 The process whose process ID is the same as its process group ID is the
100 \fIprocess group leader\fP for that group.
102 A session is a collection of processes that share the same session ID.
103 All of the members of a process group also have the same session ID
104 (i.e., all of the members of a process group always belong to the
105 same session, so that sessions and process groups form a strict
106 two-level hierarchy of processes.)
107 A new session is created when a process calls
109 which creates a new session whose session ID is the same
110 as the PID of the process that called
112 The creator of the session is called the \fIsession leader\fP.
113 .SS User and Group Identifiers
114 Each process has various associated user and groups IDs.
115 These IDs are integers, respectively represented using the types
122 On Linux, each process has the following user and group identifiers:
124 Real user ID and real group ID.
125 These IDs determine who owns the process.
126 A process can obtain its real user (group) ID using
130 Effective user ID and effective group ID.
131 These IDs are used by the kernel to determine the permissions
132 that the process will have when accessing shared resources such
133 as message queues, shared memory, and semaphores.
134 On most UNIX systems, these IDs also determine the
135 permissions when accessing files.
136 However, Linux uses the file system IDs described below
138 A process can obtain its effective user (group) ID using
142 Saved set-user-ID and saved set-group-ID.
143 These IDs are used in set-user-ID and set-group-ID programs to save
144 a copy of the corresponding effective IDs that were set when
145 the program was executed (see
147 A set-user-ID program can assume and drop privileges by
148 switching its effective user ID back and forth between the values
149 in its real user ID and saved set-user-ID.
150 This switching is done via calls to
155 A set-group-ID program performs the analogous tasks using
160 A process can obtain its saved set-user-ID (set-group-ID) using
162 .RB ( getresgid (2)).
164 File system user ID and file system group ID (Linux-specific).
165 These IDs, in conjunction with the supplementary group IDs described
166 below, are used to determine permissions for accessing files; see
167 .BR path_resolution (7)
169 Whenever a process's effective user (group) ID is changed,
170 the kernel also automatically changes the file system user (group) ID
172 Consequently, the file system IDs normally have the same values
173 as the corresponding effective ID, and the semantics for file-permission
174 checks are thus the same on Linux as on other UNIX systems.
175 The file system IDs can be made to differ from the effective IDs
181 Supplementary group IDs.
182 This is a set of additional group IDs that are used for permission
183 checks when accessing files and other shared resources.
184 On Linux kernels before 2.6.4,
185 a process can be a member of up to 32 supplementary groups;
187 a process can be a member of up to 65536 supplementary groups.
189 .I sysconf(_SC_NGROUPS_MAX)
190 can be used to determine the number of supplementary groups
191 of which a process may be a member.
192 .\" Since kernel 2.6.4, the limit is visible via the read-only file
193 .\" /proc/sys/kernel/ngroups_max.
194 .\" As at 2.6.22-rc2, this file is still read-only.
195 A process can obtain its set of supplementary group IDs using
197 and can modify the set using
200 A child process created by
202 inherits copies of its parent's user and groups IDs.
205 a process's real user and group ID and supplementary
206 group IDs are preserved;
207 the effective and saved set IDs may be changed, as described in
210 Aside from the purposes noted above,
211 a process's user IDs are also employed in a number of other contexts:
213 when determining the permissions for sending signals \(em see
216 when determining the permissions for setting
217 process-scheduling parameters (nice value, real time
218 scheduling policy and priority, CPU affinity, I/O priority) using
220 .BR sched_setaffinity (2),
221 .BR sched_setscheduler (2),
222 .BR sched_setparam (2),
226 when checking resource limits; see
229 when checking the limit on the number of inotify instances
230 that the process may create; see
233 Process IDs, parent process IDs, process group IDs, and session IDs
234 are specified in POSIX.1-2001.
235 The real, effective, and saved set user and groups IDs,
236 and the supplementary group IDs, are specified in POSIX.1-2001.
237 The file system user and group IDs are a Linux extension.
239 The POSIX threads specification requires that
240 credentials are shared by all of the threads in a process.
241 However, at the kernel level, Linux maintains separate user and group
242 credentials for each thread.
243 The NPTL threading implementation does some work to ensure
244 that any change to user or group credentials
249 is carried through to all of the POSIX threads in a process.
278 .BR capabilities (7),
279 .BR path_resolution (7),