setgid¶

Intro¶

setgid - set group identity of the current process

Description¶

The setgid syscall is used to set the group identity of the current process. This syscall does not affect the supplemental group list (see getgroups/setgroups). On most implementations, only root is allowed to call this syscall.

The primary advantage of using setgid is that it is a very simple, lightweight way to switch the group ID of the current process. However, there are some edge-cases to be aware of. Not all implementations will set the effective GID on all threads, which can lead to inconsistent behavior. Additionally, this syscall does not affect the supplemental groups list, so any groups set through setgid will not be applied to any child processes which are created.

Arguments¶

gid:gid_t - The GID to use as the effective GID of the calling process.

Available Tags¶

K - Originated from kernel-space.

Hooks¶

sys_setgid¶

Type¶

kprobes + kretprobes

Purpose¶

To monitor the entry and return from setgid calls.

Example Use Case¶

This could be used to monitor processes attempting to change their group ID, which may indicate an attack being launched or escalation of privileges.

Issues¶

This syscall does not affect the supplemental group list, so any groups set through setgid will not be applied to any child processes which are created.

getgid - get the group identity of the current process
setgroups - call to set the supplemental group list

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.