Provided by: freebsd-manpages_10.1~RC1-1_all bug


     ucred, crget, crhold, crfree, crshared, crcopy, crdup, cru2x, cred_update_thread — functions
     related to user credentials


     #include <sys/param.h>
     #include <sys/ucred.h>

     struct ucred *

     struct ucred *
     crhold(struct ucred *cr);

     crfree(struct ucred *cr);

     crshared(struct ucred *cr);

     crcopy(struct ucred *dest, struct ucred *src);

     struct ucred *
     crcopysafe(struct proc *p, struct ucred *cr);

     struct ucred *
     crdup(struct ucred *cr);

     crsetgroups(struct ucred *cr, int ngrp, gid_t *groups);

     cru2x(struct ucred *cr, struct xucred *xcr);

     cred_update_thread(struct thread *td);


     The ucred family of functions is used to manage user credential structures (struct ucred)
     within the kernel.

     The crget() function allocates memory for a new structure, sets its reference count to 1,
     and initializes its lock.

     The crhold() function increases the reference count on the credential.

     The crfree() function decreases the reference count on the credential.  If the count drops
     to 0, the storage for the structure is freed.

     The crshared() function returns true if the credential is shared.  A credential is
     considered to be shared if its reference count is greater than one.

     The crcopy() function copies the contents of the source (template) credential into the
     destination template.  The uidinfo structure within the destination is referenced by calling

     The crcopysafe() function copies the current credential associated with the process p into
     the newly allocated credential cr.  The process lock on p must be held and will be dropped
     and reacquired as needed to allocate group storage space in cr.

     The crdup() function allocates memory for a new structure and copies the contents of cr into
     it.  The actual copying is performed by crcopy().

     The crsetgroups() function sets the cr_groups and cr_ngroups variables and allocates space
     as needed.  It also truncates the group list to the current maximum number of groups.  No
     other mechanism should be used to modify the cr_groups array except for updating the primary
     group via assignment to cr_groups[0].

     The cru2x() function converts a ucred structure to an xucred structure.  That is, it copies
     data from cr to xcr; it ignores fields in the former that are not present in the latter
     (e.g., cr_uidinfo), and appropriately sets fields in the latter that are not present in the
     former (e.g., cr_version).

     The cred_update_thread() function sets the credentials of td to that of its process, freeing
     its old credential if required.


     crget(), crhold(), crdup(), and crcopysafe() all return a pointer to a ucred structure.

     crshared() returns 0 if the credential has a reference count greater than 1; otherwise, 1 is


     As of FreeBSD 5.0, the ucred structure contains extensible fields.  This means that the
     correct protocol must always be followed to create a fresh and writable credential
     structure: new credentials must always be derived from existing credentials using crget(),
     crcopy(), and crcopysafe().

     In the common case, credentials required for access control decisions are used in a read-
     only manner.  In these circumstances, the thread credential td_ucred should be used, as it
     requires no locking to access safely, and remains stable for the duration of the call even
     in the face of a multi-threaded application changing the process credentials from another

     During a process credential update, the process lock must be held across check and update,
     to prevent race conditions.  The process credential, td->td_proc->p_ucred, must be used both
     for check and update.  If a process credential is updated during a system call and checks
     against the thread credential are to be made later during the same system call, the thread
     credential must also be refreshed from the process credential so as to prevent use of a
     stale value.  To avoid this scenario, it is recommended that system calls updating the
     process credential be designed to avoid other authorization functions.

     If temporarily elevated privileges are required for a thread, the thread credential can by
     replaced for the duration of an activity, or for the remainder of the system call.  However,
     as a thread credential is often shared, appropriate care should be taken to make sure
     modifications are made to a writable credential through the use of crget() and crcopy().

     Caution should be exercised when checking authorization for a thread or process perform an
     operation on another thread or process.  As a result of temporary elevation, the target
     thread credential should never be used as the target credential in an access control
     decision: the process credential associated with the thread, td->td_proc->p_ucred, should be
     used instead.  For example, p_candebug(9) accepts a target process, not a target thread, for
     access control purposes.




     This manual page was written by Chad David <>.