setregid¶
Intro¶
setregid - set the real/effective group id of the calling process
Description¶
The setregid() system call conveniently sets both the real and effective group ids of the calling process. It requires two arguments – rgid and egid – that are both of type gid_t. This syscall provides an easy way for changing group id for processes thereby enabling effective group management.
Additionally, setregid() can be used to grant privilege. This can be done by temporarily setting the effective group ID to a privileged group, executing the required operations and then setting it back.
Arguments¶
rgid:gid_t- The real group ID of the calling process.egid:gid_t- The effective group ID of the calling process.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_setegid¶
Type¶
Tracepoint
Purpose¶
In order to monitor any changes to the effective group ID of a process.
sys_setregid¶
Type¶
Kprobe
Purpose¶
In order to monitor processes setting their real or effective group ID.
Example Use Case¶
A service might need to be able to switch user/group contexts in order to access restricted sections. Using this event, the system administrator can monitor the service behaviour and check for suspicious real/group ID changes.
Issues¶
None
Related Events¶
Other events related to setregid() are getuid(), setreuid(), setgid(), and getgid().
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.