Skip to content

setgroups16

Intro

setgroups16 - assign process's supplementary group IDs

Description

The setgroups16() system call sets the supplementary group IDs for the process. The argument size specifies the number of group IDs passed in list. The group IDs in list are set for the range 0 <= i < size. If the process is privileged, all request IDs can be set; otherwise, an error may be returned if any of the IDs specified by list are invalid or are not valid and permissible for the real user ID of the calling process.

Unlike setgroups() which sets the object's Supplementary Group IDs to exactly those supplied in list, setgroups16() sets filling the Supplementary Group IDs with values taken from list and leaves empty entries after the last one specified in list, following the BSD 4.3 behaviour.

Arguments

  • size:size_t[K] - specifies the number of group Ids passed in list.
  • list:const gid_t*[U] - contains the group IDs to be set for the calling process.

Available Tags

  • K - Originated from kernel space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_setgroups16

Type

Kprobe

Purpose

This hook is used to monitor the system call do_setgroups16 which is responsible for setting the supplementary group IDs of a process.

Example Use Case

This function can be used to detect changes in the supplementary group IDs of a process. For example, this can be used to detect if a malicious process is setting itself as the root user.

Issues

No known issues.

This system call is related to the setgroups() system call since it set the supplementary group IDs of a process in a similar way. Also related is the getgroups16() system call which can be used to retrieve the current supplementary group IDs assigned to a process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.