Skip to content

getresgid16

Intro

getresgid16 - get the real, effective, and saved group IDs of the calling process

Description

The getresgid16() system call gets the real, effective, and saved group IDs of the calling process (in that order).

Using this call, a process can be sure that its real, effective and saved group IDs are the same. This can help with privilege elevation when changing credentials.

Since it takes no arguments, there are no edge-cases or drawbacks, however, in kernel versions prior to 4.20 the allocated argument was present and had to be set to the size of the old_gid_t type, which might be confusing for some.

Arguments

  • rgid:old_gid_t*[K] - Pointer to the real group ID of the caller.
  • egid:old_gid_t*[K] - Pointer to the effective group ID of the caller.
  • sgid:old_gid_t*[K] - Pointer to the saved group ID of the caller.

Available Tags

  • K - Originated from kernel-space.

Hooks

do_getresgid16

Type

Kprobe

Purpose

To allow users to trace or monitor calls to the getresgid16() system call from user space.

Example Use Case

Monitoring the progress of setting the caller's real, effective, and saved group IDs.

Issues

In some kernels, the allocated argument had to be set to the size of the old_gid_t type, but this was deprecated in kernel 4.20.

  • setresgid16 - set the real, effective, and saved group IDs of the calling process

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.