setresuid16¶
Intro¶
setresuid16 - set real, effective and saved user identity
Description¶
The setresuid16 syscall sets the effective, real, and saved user identities depending on the value of the argument flags. A process with the CAP_SETUID capability can set its own user ID's. A process without the CAP_SETUID capability can set the real and effective user ID's to the effective user ID of the process. All the ID's are changed regardless of the value of the flags argument, so group and supplemental group changes can not be suppressed.
Arguments¶
ruid:old_uid_t[K] - real user IDeuid:old_uid_t[K] - effective user IDsuid:old_uid_t[K] - saved set-user-ID
Available Tags¶
- K - Originated from kernel-space.
Hooks¶
sys_setresuid16¶
Type¶
Kprobe
Purpose¶
To monitor changes in user ID's.
Example Use Case¶
An example of a use case for this event is if a system administrator wanted to monitor user ID changes as they occur. This event can be used to detect any attempts to change a user's identity in order to access resources they are not authorized to access.
Issues¶
There are no known issues with this event.
Related Events¶
- getresuid16 - get real, effective, and saved user identity
- setreuid16 - set real and effective user identity
- setfsuid16 - set filesystem user identity
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.