Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 May 2001 13:31:32 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        audit@FreeBSD.org
Subject:   RE: Patch to eliminate struct pcred (fwd)
Message-ID:  <Pine.NEB.3.96L.1010509132551.11741x-100000@fledge.watson.org>

next in thread | raw e-mail | index | archive | help

Attached, please find pcred.3.diff, a patch which merges the ucred and
pcred structures in 5.0-CURRENT.  Also, please find my comments on
initially posting the patch on the topic of the changes and rationale for
those changes, made to freebsd-arch a couple of days ago.  I'd like to
commit this in the next day or two; any comments would be appreciated. The
basic gist of this change is that it combines the two existing process
credential structures, allowing the ucred to be used for almost all access
control decisions without use of struct proc directly; it also simplifies
the caching of credential information in sigio structures (and related
kinds of places), as well as locking for access control decisions.

From: Robert Watson <rwatson@FreeBSD.org>
To: arch@FreeBSD.org
Subject: Patch to eliminate struct pcred

Below, please find patches to eliminate struct pcred, as previously
discussed on this list.  Detailed description of the changes is below, but
the quick of it is: pcred and ucred were independent, these patches merge
both into ucred, simplifying a number of cached credential cases (such as
in sigio), and making the ucred the central structure required for almost
all subject-based authorization events.  While I did this, I took the
opportunity to clean up a number of related issues, including changing the
uid/gid helper functions substantially.  If you prefer patches via the
web, they are at:

  http://www.watson.org/~robert/pcred.diff

Any reviews welcome.  An important observation is that, in practice,
almost all pcred write operations involve a ucred copy-on-write, so this
shouldn't increase the number of ucred's in use; it does slightly expand
ucred, but also removes an indirection from the use of ucred in most
environments.  The performance impact is probably a wash.

Detailed description:

o Merge contents of struct pcred into struct ucred.  Specifically, add the
  real uid, saved uid, real gid, and saved gid to ucred, as well as the
  pcred->pc_uidinfo, which was associated with the real uid, only rename
  it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
  corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
  original macro that pointed.
  p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
  p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
  cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
  cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
  we figure out locking and optimizations; generally speaking, this
  means moving to a structure like this:
        newcred = crdup(oldcred);
        ...
        p->p_ucred = newcred;
        crfree(oldcred);
  It's not race-free, but better than nothing.  There are also races
  in sys_process.c, all inter-process authorization, fork, exec, and
  exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
  remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
  use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
  pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
  allocation.
o Clean up ktrcanset() to take into account changes, and move to using
  suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
  calls to better document current behavior.  In a couple of places,
  current behavior is a little questionable and we need to check
  POSIX.1 to make sure it's "right".  More commenting work still
  remains to be done.
o Update credential management calls, such as crfree(), to take into
  account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
      change_euid()
      change_egid()
      change_ruid()
      change_rgid()
      change_svuid()
      change_svgid()
  In each case, the call now acts on a credential not a process, and as
  such no longer requires more complicated process locking/etc.  They
  now assume the caller will do any necessary allocation of an
  exclusive credential reference.  Each is commented to document its
  reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
  and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
  questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
  processes and pcreds.  Note that this authorization, as well as
  CANSIGIO(), needs to be updated to use the p_cansignal() and
  p_cansched() centralized authorization routines, as they currently
  do not take into account some desirable restrictions that are handled
  by the centralized routines, as well as being inconsistent with other
  similar authorization instances.


Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services


? compile/GENERIC
? compile/LINT
? i386/conf/LINT
Index: compat/linprocfs/linprocfs_misc.c
===================================================================
RCS file: /home/ncvs/src/sys/compat/linprocfs/linprocfs_misc.c,v
retrieving revision 1.24
diff -u -r1.24 linprocfs_misc.c
--- compat/linprocfs/linprocfs_misc.c	2001/05/01 08:11:51	1.24
+++ compat/linprocfs/linprocfs_misc.c	2001/05/09 17:22:37
@@ -444,14 +444,14 @@
 	PROC_LOCK(p);
 	sbuf_printf(&sb, "PPid:\t%d\n",		p->p_pptr ?
 						p->p_pptr->p_pid : 0);
-	sbuf_printf(&sb, "Uid:\t%d %d %d %d\n", p->p_cred->p_ruid,
+	sbuf_printf(&sb, "Uid:\t%d %d %d %d\n", p->p_ucred->cr_ruid,
 			                        p->p_ucred->cr_uid,
-			                        p->p_cred->p_svuid,
+			                        p->p_ucred->cr_svuid,
 			                        /* FreeBSD doesn't have fsuid */
 				                p->p_ucred->cr_uid);
-	sbuf_printf(&sb, "Gid:\t%d %d %d %d\n", p->p_cred->p_rgid,
+	sbuf_printf(&sb, "Gid:\t%d %d %d %d\n", p->p_ucred->cr_rgid,
 			                        p->p_ucred->cr_gid,
-			                        p->p_cred->p_svgid,
+			                        p->p_ucred->cr_svgid,
 			                        /* FreeBSD doesn't have fsgid */
 				                p->p_ucred->cr_gid);
 	sbuf_cat(&sb, "Groups:\t");
@@ -543,7 +543,7 @@
 	char *freepath = NULL;
 
 	p = PFIND(pfs->pfs_pid);
-	if (p == NULL || p->p_cred == NULL || p->p_ucred == NULL) {
+	if (p == NULL || p->p_ucred == NULL) {
 		if (p != NULL)
 			PROC_UNLOCK(p);
 		printf("doexelink: pid %d disappeared\n", pfs->pfs_pid);
Index: compat/linprocfs/linprocfs_vnops.c
===================================================================
RCS file: /home/ncvs/src/sys/compat/linprocfs/linprocfs_vnops.c,v
retrieving revision 1.23
diff -u -r1.23 linprocfs_vnops.c
--- compat/linprocfs/linprocfs_vnops.c	2001/05/04 05:19:22	1.23
+++ compat/linprocfs/linprocfs_vnops.c	2001/05/09 17:22:37
@@ -432,7 +432,7 @@
 		procp = PFIND(pfs->pfs_pid);
 		if (procp == NULL)
 			return (ENOENT);
-		if (procp->p_cred == NULL || procp->p_ucred == NULL) {
+		if (procp->p_ucred == NULL) {
 			PROC_UNLOCK(procp);
 			return (ENOENT);
 		}
Index: compat/linux/linux_misc.c
===================================================================
RCS file: /home/ncvs/src/sys/compat/linux/linux_misc.c,v
retrieving revision 1.101
diff -u -r1.101 linux_misc.c
--- compat/linux/linux_misc.c	2001/05/01 08:11:51	1.101
+++ compat/linux/linux_misc.c	2001/05/09 17:22:38
@@ -958,12 +958,11 @@
 	struct proc *p;
 	struct linux_setgroups_args *uap;
 {
-	struct pcred *pc;
+	struct ucred *newcred, *oldcred = p->p_ucred;
 	linux_gid_t linux_gidset[NGROUPS];
 	gid_t *bsd_gidset;
 	int ngrp, error;
 
-	pc = p->p_cred;
 	ngrp = uap->gidsetsize;
 
 	/*
@@ -972,22 +971,22 @@
 	 * Keep cr_groups[0] unchanged to prevent that.
 	 */
 
-	if ((error = suser_xxx(NULL, p, PRISON_ROOT)) != 0)
+	if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (ngrp >= NGROUPS)
 		return (EINVAL);
 
-	pc->pc_ucred = crcopy(pc->pc_ucred);
+	newcred = crdup(oldcred);
 	if (ngrp > 0) {
 		error = copyin((caddr_t)uap->gidset, (caddr_t)linux_gidset,
 			       ngrp * sizeof(linux_gid_t));
 		if (error)
 			return (error);
 
-		pc->pc_ucred->cr_ngroups = ngrp + 1;
+		newcred->cr_ngroups = ngrp + 1;
 
-		bsd_gidset = pc->pc_ucred->cr_groups;
+		bsd_gidset = newcred->cr_groups;
 		ngrp--;
 		while (ngrp >= 0) {
 			bsd_gidset[ngrp + 1] = linux_gidset[ngrp];
@@ -995,9 +994,13 @@
 		}
 	}
 	else
-		pc->pc_ucred->cr_ngroups = 1;
+		newcred->cr_ngroups = 1;
 
 	setsugid(p);
+
+	p->p_ucred = newcred;
+	crfree(oldcred);
+
 	return (0);
 }
 
@@ -1006,14 +1009,14 @@
 	struct proc *p;
 	struct linux_getgroups_args *uap;
 {
-	struct pcred *pc;
+	struct ucred *cred;
 	linux_gid_t linux_gidset[NGROUPS];
 	gid_t *bsd_gidset;
 	int bsd_gidsetsz, ngrp, error;
 
-	pc = p->p_cred;
-	bsd_gidset = pc->pc_ucred->cr_groups;
-	bsd_gidsetsz = pc->pc_ucred->cr_ngroups - 1;
+	cred = p->p_ucred;
+	bsd_gidset = cred->cr_groups;
+	bsd_gidsetsz = cred->cr_ngroups - 1;
 
 	/*
 	 * cr_groups[0] holds egid. Returning the whole set
Index: compat/svr4/svr4_misc.c
===================================================================
RCS file: /home/ncvs/src/sys/compat/svr4/svr4_misc.c,v
retrieving revision 1.30
diff -u -r1.30 svr4_misc.c
--- compat/svr4/svr4_misc.c	2001/05/01 08:11:52	1.30
+++ compat/svr4/svr4_misc.c	2001/05/09 17:22:40
@@ -1283,7 +1283,7 @@
 			/*
 			 * Decrement the count of procs running with this uid.
 			 */
-			(void)chgproccnt(q->p_cred->p_uidinfo, -1, 0);
+			(void)chgproccnt(q->p_ucred->cr_ruidinfo, -1, 0);
 
 			/*
 			 * Release reference to text vnode.
@@ -1294,13 +1294,8 @@
 			/*
 			 * Free up credentials.
 			 */
-			PROC_LOCK(q);
-			if (--q->p_cred->p_refcnt == 0) {
-				crfree(q->p_ucred);
-				uifree(q->p_cred->p_uidinfo);
-				FREE(q->p_cred, M_SUBPROC);
-				q->p_cred = NULL;
-			}
+			crfree(q->p_ucred);
+			q->p_ucred = NULL;
 
 			/*
 			 * Remove unused arguments
Index: compat/svr4/svr4_sysvec.c
===================================================================
RCS file: /home/ncvs/src/sys/compat/svr4/svr4_sysvec.c,v
retrieving revision 1.20
diff -u -r1.20 svr4_sysvec.c
--- compat/svr4/svr4_sysvec.c	2001/02/24 22:20:02	1.20
+++ compat/svr4/svr4_sysvec.c	2001/05/09 17:22:41
@@ -213,10 +213,10 @@
 	AUXARGS_ENTRY(pos, AT_FLAGS, args->flags);
 	AUXARGS_ENTRY(pos, AT_ENTRY, args->entry);
 	AUXARGS_ENTRY(pos, AT_BASE, args->base);
-	AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_cred->p_ruid);
-	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_cred->p_svuid);
-	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_cred->p_rgid);
-	AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_cred->p_svgid);
+	AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
+	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
+	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);
+	AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_ucred->cr_svgid);
 	AUXARGS_ENTRY(pos, AT_NULL, 0);
 	
 	free(imgp->auxargs, M_TEMP);      
Index: ddb/db_ps.c
===================================================================
RCS file: /home/ncvs/src/sys/ddb/db_ps.c,v
retrieving revision 1.22
diff -u -r1.22 db_ps.c
--- ddb/db_ps.c	2001/03/28 09:17:49	1.22
+++ ddb/db_ps.c	2001/05/09 17:22:42
@@ -95,7 +95,7 @@
 
 		db_printf("%5d %8p %8p %4d %5d %5d %06x  %d",
 		    p->p_pid, (volatile void *)p, (void *)p->p_addr,
-		    p->p_cred ? p->p_cred->p_ruid : 0, pp->p_pid,
+		    p->p_ucred ? p->p_ucred->cr_ruid : 0, pp->p_pid,
 		    p->p_pgrp ? p->p_pgrp->pg_id : 0, p->p_flag, p->p_stat);
 		if (p->p_wchan) {
 			db_printf("  %6s %8p", p->p_wmesg, (void *)p->p_wchan);
Index: i386/linux/linux_sysvec.c
===================================================================
RCS file: /home/ncvs/src/sys/i386/linux/linux_sysvec.c,v
retrieving revision 1.78
diff -u -r1.78 linux_sysvec.c
--- i386/linux/linux_sysvec.c	2001/05/01 08:12:52	1.78
+++ i386/linux/linux_sysvec.c	2001/05/09 17:22:51
@@ -186,10 +186,10 @@
 	AUXARGS_ENTRY(pos, AT_ENTRY, args->entry);
 	AUXARGS_ENTRY(pos, AT_BASE, args->base);
 	PROC_LOCK(imgp->proc);
-	AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_cred->p_ruid);
-	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_cred->p_svuid);
-	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_cred->p_rgid);
-	AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_cred->p_svgid);
+	AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
+	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
+	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);
+	AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_ucred->cr_svgid);
 	PROC_UNLOCK(imgp->proc);
 	AUXARGS_ENTRY(pos, AT_NULL, 0);
 	
Index: kern/init_main.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/init_main.c,v
retrieving revision 1.168
diff -u -r1.168 init_main.c
--- kern/init_main.c	2001/04/29 02:44:48	1.168
+++ kern/init_main.c	2001/05/09 17:22:52
@@ -85,7 +85,6 @@
 static struct session session0;
 static struct pgrp pgrp0;
 struct	proc proc0;
-static struct pcred cred0;
 static struct procsig procsig0;
 static struct filedesc0 filedesc0;
 static struct plimit limit0;
@@ -321,12 +320,10 @@
 	callout_init(&p->p_slpcallout, 1);
 
 	/* Create credentials. */
-	cred0.p_refcnt = 1;
-	cred0.p_uidinfo = uifind(0);
-	p->p_cred = &cred0;
 	p->p_ucred = crget();
 	p->p_ucred->cr_ngroups = 1;	/* group 0 */
 	p->p_ucred->cr_uidinfo = uifind(0);
+	p->p_ucred->cr_ruidinfo = uifind(0);
 	p->p_ucred->cr_prison = NULL;	/* Don't jail it. */
 
 	/* Create procsig. */
@@ -380,7 +377,7 @@
 	/*
 	 * Charge root for one process.
 	 */
-	(void)chgproccnt(cred0.p_uidinfo, 1, 0);
+	(void)chgproccnt(p->p_ucred->cr_ruidinfo, 1, 0);
 }
 SYSINIT(p0init, SI_SUB_INTRINSIC, SI_ORDER_FIRST, proc0_init, NULL)
 
Index: kern/kern_acct.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_acct.c,v
retrieving revision 1.33
diff -u -r1.33 kern_acct.c
--- kern/kern_acct.c	2001/05/01 08:12:55	1.33
+++ kern/kern_acct.c	2001/05/09 17:22:52
@@ -222,8 +222,8 @@
 	acct.ac_io = encode_comp_t(r->ru_inblock + r->ru_oublock, 0);
 
 	/* (6) The UID and GID of the process */
-	acct.ac_uid = p->p_cred->p_ruid;
-	acct.ac_gid = p->p_cred->p_rgid;
+	acct.ac_uid = p->p_ucred->cr_ruid;
+	acct.ac_gid = p->p_ucred->cr_rgid;
 
 	/* (7) The terminal from which the process was started */
 	if ((p->p_flag & P_CONTROLT) && p->p_pgrp->pg_session->s_ttyp)
Index: kern/kern_descrip.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_descrip.c,v
retrieving revision 1.100
diff -u -r1.100 kern_descrip.c
--- kern/kern_descrip.c	2001/05/01 08:12:55	1.100
+++ kern/kern_descrip.c	2001/05/09 17:22:53
@@ -525,8 +525,6 @@
 	sigio->sio_pgid = pgid;
 	crhold(curproc->p_ucred);
 	sigio->sio_ucred = curproc->p_ucred;
-	/* It would be convenient if p_ruid was in ucred. */
-	sigio->sio_ruid = curproc->p_cred->p_ruid;
 	sigio->sio_myref = sigiop;
 	s = splhigh();
 	*sigiop = sigio;
Index: kern/kern_exec.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.126
diff -u -r1.126 kern_exec.c
--- kern/kern_exec.c	2001/05/01 08:12:56	1.126
+++ kern/kern_exec.c	2001/05/09 17:22:54
@@ -104,6 +104,7 @@
 	register struct execve_args *uap;
 {
 	struct nameidata nd, *ndp;
+	struct ucred *oldcred = p->p_ucred, *newcred;
 	register_t *stack_base;
 	int error, len, i;
 	struct image_params image_params, *imgp;
@@ -274,13 +275,23 @@
 	}
 
 	/*
+	 * XXX: Note, the whole execve() is incredibly racey right now
+	 * with regards to debugging and privilege/credential management.
+	 * In particular, it's possible to race during exec() to attach
+	 * debugging to a process that will gain privilege.
+	 *
+	 * This MUST be fixed prior to any release.
+	 */
+
+	/*
 	 * Implement image setuid/setgid.
 	 *
 	 * Don't honor setuid/setgid if the filesystem prohibits it or if
 	 * the process is being traced.
 	 */
-	if ((((attr.va_mode & VSUID) && p->p_ucred->cr_uid != attr.va_uid) ||
-	     ((attr.va_mode & VSGID) && p->p_ucred->cr_gid != attr.va_gid)) &&
+	newcred = NULL;
+	if ((((attr.va_mode & VSUID) && oldcred->cr_uid != attr.va_uid) ||
+	     ((attr.va_mode & VSGID) && oldcred->cr_gid != attr.va_gid)) &&
 	    (imgp->vp->v_mount->mnt_flag & MNT_NOSUID) == 0 &&
 	    (p->p_flag & P_TRACED) == 0) {
 		PROC_UNLOCK(p);
@@ -288,7 +299,7 @@
 		 * Turn off syscall tracing for set-id programs, except for
 		 * root.
 		 */
-		if (p->p_tracep && suser(p)) {
+		if (p->p_tracep && suser_xxx(oldcred, NULL, PRISON_ROOT)) {
 			p->p_traceflag = 0;
 			vrele(p->p_tracep);
 			p->p_tracep = NULL;
@@ -296,25 +307,50 @@
 		/*
 		 * Set the new credentials.
 		 */
-		p->p_ucred = crcopy(p->p_ucred);
+		newcred = crdup(p->p_ucred);
 		if (attr.va_mode & VSUID)
-			change_euid(p, attr.va_uid);
+			change_euid(newcred, attr.va_uid);
 		if (attr.va_mode & VSGID)
-			p->p_ucred->cr_gid = attr.va_gid;
+			change_egid(newcred, attr.va_gid);
 		setsugid(p);
 		setugidsafety(p);
 	} else {
-		if (p->p_ucred->cr_uid == p->p_cred->p_ruid &&
-		    p->p_ucred->cr_gid == p->p_cred->p_rgid)
+		if (oldcred->cr_uid == oldcred->cr_ruid &&
+		    oldcred->cr_gid == oldcred->cr_rgid)
 			p->p_flag &= ~P_SUGID;
 		PROC_UNLOCK(p);
 	}
 
 	/*
 	 * Implement correct POSIX saved-id behavior.
+	 *
+	 * XXX: determine whether tests and sets should occur on old or
+	 * new credentials.
 	 */
-	p->p_cred->p_svuid = p->p_ucred->cr_uid;
-	p->p_cred->p_svgid = p->p_ucred->cr_gid;
+	if (newcred->cr_svuid != newcred->cr_uid ||
+	    newcred->cr_svgid != newcred->cr_gid) {
+		if (newcred != NULL)
+			newcred = crdup(p->p_ucred);
+
+		change_svuid(newcred, newcred->cr_uid);
+		change_svgid(newcred, newcred->cr_gid);
+	}
+
+	if (newcred != NULL) {
+		/*
+		 * If the credential was updated, replace it with the
+		 * new credential.
+		 *
+		 * XXX: should setsugid() be called here?
+		 */
+		struct ucred *oldcred;
+
+		oldcred = p->p_ucred;
+		PROC_LOCK(p);
+		p->p_ucred = newcred;
+		PROC_UNLOCK(p);
+		crfree(oldcred);
+	}
 
 	/*
 	 * Store the vp for use in procfs
Index: kern/kern_exit.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_exit.c,v
retrieving revision 1.126
diff -u -r1.126 kern_exit.c
--- kern/kern_exit.c	2001/05/04 16:13:28	1.126
+++ kern/kern_exit.c	2001/05/09 17:22:54
@@ -514,7 +514,7 @@
 			/*
 			 * Decrement the count of procs running with this uid.
 			 */
-			(void)chgproccnt(p->p_cred->p_uidinfo, -1, 0);
+			(void)chgproccnt(p->p_ucred->cr_ruidinfo, -1, 0);
 
 			/*
 			 * Release reference to text vnode
@@ -539,12 +539,8 @@
 			/*
 			 * Free up credentials.
 			 */
-			if (--p->p_cred->p_refcnt == 0) {
-				crfree(p->p_ucred);
-				uifree(p->p_cred->p_uidinfo);
-				FREE(p->p_cred, M_SUBPROC);
-				p->p_cred = NULL;
-			}
+			crfree(p->p_ucred);
+			p->p_ucred = NULL;
 
 			/*
 			 * Remove unused arguments
Index: kern/kern_fork.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v
retrieving revision 1.111
diff -u -r1.111 kern_fork.c
--- kern/kern_fork.c	2001/05/07 18:07:29	1.111
+++ kern/kern_fork.c	2001/05/09 17:22:55
@@ -257,7 +257,7 @@
 	 * exceed the limit. The variable nprocs is the current number of
 	 * processes, maxproc is the limit.
 	 */
-	uid = p1->p_cred->p_ruid;
+	uid = p1->p_ucred->cr_ruid;
 	if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
 		tablefull("proc");
 		return (EAGAIN);
@@ -272,7 +272,7 @@
 	 * Increment the count of procs running with this uid. Don't allow
 	 * a nonprivileged user to exceed their current limit.
 	 */
-	ok = chgproccnt(p1->p_cred->p_uidinfo, 1,
+	ok = chgproccnt(p1->p_ucred->cr_ruidinfo, 1,
 		(uid != 0) ? p1->p_rlimit[RLIMIT_NPROC].rlim_cur : 0);
 	if (!ok) {
 		/*
@@ -408,15 +408,9 @@
 	 * We start off holding one spinlock after fork: sched_lock.
 	 */
 	p2->p_spinlocks = 1;
-	PROC_UNLOCK(p2);
-	MALLOC(p2->p_cred, struct pcred *, sizeof(struct pcred),
-	    M_SUBPROC, M_WAITOK);
-	PROC_LOCK(p2);
 	PROC_LOCK(p1);
-	bcopy(p1->p_cred, p2->p_cred, sizeof(*p2->p_cred));
-	p2->p_cred->p_refcnt = 1;
 	crhold(p1->p_ucred);
-	uihold(p1->p_cred->p_uidinfo);
+	p2->p_ucred = p1->p_ucred;
 
 	if (p2->p_args)
 		p2->p_args->ar_ref++;
Index: kern/kern_ktrace.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_ktrace.c,v
retrieving revision 1.52
diff -u -r1.52 kern_ktrace.c
--- kern/kern_ktrace.c	2001/05/01 08:12:56	1.52
+++ kern/kern_ktrace.c	2001/05/09 17:22:56
@@ -531,17 +531,17 @@
 ktrcanset(callp, targetp)
 	struct proc *callp, *targetp;
 {
-	register struct pcred *caller = callp->p_cred;
-	register struct pcred *target = targetp->p_cred;
+	struct ucred *callcr = callp->p_ucred;
+	struct ucred *targetcr = targetp->p_ucred;
 
-	if (prison_check(callp->p_ucred, targetp->p_ucred))
+	if (prison_check(callcr, targetcr))
 		return (0);
-	if ((caller->pc_ucred->cr_uid == target->p_ruid &&
-	     target->p_ruid == target->p_svuid &&
-	     caller->p_rgid == target->p_rgid &&	/* XXX */
-	     target->p_rgid == target->p_svgid &&
+	if ((callcr->cr_uid == targetcr->cr_ruid &&
+	     targetcr->cr_ruid == targetcr->cr_svuid &&
+	     callcr->cr_rgid == targetcr->cr_rgid &&	/* XXX */
+	     targetcr->cr_rgid == targetcr->cr_svgid &&
 	     (targetp->p_traceflag & KTRFAC_ROOT) == 0) ||
-	     caller->pc_ucred->cr_uid == 0)
+	     !suser_xxx(callcr, NULL, PRISON_ROOT))
 		return (1);
 
 	return (0);
Index: kern/kern_proc.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_proc.c,v
retrieving revision 1.93
diff -u -r1.93 kern_proc.c
--- kern/kern_proc.c	2001/05/01 08:12:57	1.93
+++ kern/kern_proc.c	2001/05/09 17:22:56
@@ -424,15 +424,15 @@
 	kp->ki_textvp = p->p_textvp;
 	kp->ki_fd = p->p_fd;
 	kp->ki_vmspace = p->p_vmspace;
-	if (p->p_cred) {
-		kp->ki_uid = p->p_cred->pc_ucred->cr_uid;
-		kp->ki_ruid = p->p_cred->p_ruid;
-		kp->ki_svuid = p->p_cred->p_svuid;
-		kp->ki_ngroups = p->p_cred->pc_ucred->cr_ngroups;
-		bcopy(p->p_cred->pc_ucred->cr_groups, kp->ki_groups,
+	if (p->p_ucred) {
+		kp->ki_uid = p->p_ucred->cr_uid;
+		kp->ki_ruid = p->p_ucred->cr_ruid;
+		kp->ki_svuid = p->p_ucred->cr_svuid;
+		kp->ki_ngroups = p->p_ucred->cr_ngroups;
+		bcopy(p->p_ucred->cr_groups, kp->ki_groups,
 		    NGROUPS * sizeof(gid_t));
-		kp->ki_rgid = p->p_cred->p_rgid;
-		kp->ki_svgid = p->p_cred->p_svgid;
+		kp->ki_rgid = p->p_ucred->cr_rgid;
+		kp->ki_svgid = p->p_ucred->cr_svgid;
 	}
 	if (p->p_procsig) {
 		kp->ki_sigignore = p->p_procsig->ps_sigignore;
@@ -653,7 +653,7 @@
 
 			case KERN_PROC_RUID:
 				if (p->p_ucred == NULL || 
-				    p->p_cred->p_ruid != (uid_t)name[0])
+				    p->p_ucred->cr_ruid != (uid_t)name[0])
 					continue;
 				break;
 			}
Index: kern/kern_prot.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v
retrieving revision 1.89
diff -u -r1.89 kern_prot.c
--- kern/kern_prot.c	2001/05/01 08:12:57	1.89
+++ kern/kern_prot.c	2001/05/09 17:22:57
@@ -210,7 +210,7 @@
 	struct getuid_args *uap;
 {
 
-	p->p_retval[0] = p->p_cred->p_ruid;
+	p->p_retval[0] = p->p_ucred->cr_ruid;
 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
 	p->p_retval[1] = p->p_ucred->cr_uid;
 #endif
@@ -253,7 +253,7 @@
 	struct getgid_args *uap;
 {
 
-	p->p_retval[0] = p->p_cred->p_rgid;
+	p->p_retval[0] = p->p_ucred->cr_rgid;
 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
 	p->p_retval[1] = p->p_ucred->cr_groups[0];
 #endif
@@ -293,18 +293,18 @@
 	struct proc *p;
 	register struct	getgroups_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *cred = p->p_ucred;
 	register u_int ngrp;
 	int error;
 
 	if ((ngrp = uap->gidsetsize) == 0) {
-		p->p_retval[0] = pc->pc_ucred->cr_ngroups;
+		p->p_retval[0] = cred->cr_ngroups;
 		return (0);
 	}
-	if (ngrp < pc->pc_ucred->cr_ngroups)
+	if (ngrp < cred->cr_ngroups)
 		return (EINVAL);
-	ngrp = pc->pc_ucred->cr_ngroups;
-	if ((error = copyout((caddr_t)pc->pc_ucred->cr_groups,
+	ngrp = cred->cr_ngroups;
+	if ((error = copyout((caddr_t)cred->cr_groups,
 	    (caddr_t)uap->gidset, ngrp * sizeof(gid_t))))
 		return (error);
 	p->p_retval[0] = ngrp;
@@ -427,7 +427,7 @@
 	struct proc *p;
 	struct setuid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	struct ucred *oldcred = p->p_ucred, *newcred;
 	register uid_t uid;
 	int error;
 
@@ -449,16 +449,17 @@
 	 * 3: Change euid last. (after tests in #2 for "appropriate privs")
 	 */
 	uid = uap->uid;
-	if (uid != pc->p_ruid &&		/* allow setuid(getuid()) */
+	if (uid != oldcred->cr_ruid &&		/* allow setuid(getuid()) */
 #ifdef _POSIX_SAVED_IDS
-	    uid != pc->p_svuid &&		/* allow setuid(saved gid) */
+	    uid != oldcred->cr_svuid &&		/* allow setuid(saved gid) */
 #endif
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
-	    uid != pc->pc_ucred->cr_uid &&	/* allow setuid(geteuid()) */
+	    uid != oldcred->cr_uid &&		/* allow setuid(geteuid()) */
 #endif
-	    (error = suser_xxx(0, p, PRISON_ROOT)))
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
 		return (error);
 
+	newcred = crdup(oldcred);
 #ifdef _POSIX_SAVED_IDS
 	/*
 	 * Do we have "appropriate privileges" (are we root or uid == euid)
@@ -466,16 +467,16 @@
 	 */
 	if (
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
-	    uid == pc->pc_ucred->cr_uid ||
+	    uid == oldcred->cr_uid ||
 #endif
-	    suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */
+	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
 		 * Set the real uid and transfer proc count to new user.
 		 */
-		if (uid != pc->p_ruid) {
-			change_ruid(p, uid);
+		if (uid != oldcred->cr_ruid) {
+			change_ruid(newcred, uid);
 			setsugid(p);
 		}
 		/*
@@ -485,8 +486,8 @@
 		 * the security of seteuid() depends on it.  B.4.2.2 says it
 		 * is important that we should do this.
 		 */
-		if (pc->p_svuid != uid) {
-			pc->p_svuid = uid;
+		if (uid != oldcred->cr_svuid) {
+			change_svuid(newcred, uid);
 			setsugid(p);
 		}
 	}
@@ -495,10 +496,12 @@
 	 * In all permitted cases, we are changing the euid.
 	 * Copy credentials so other references do not see our changes.
 	 */
-	if (pc->pc_ucred->cr_uid != uid) {
-		change_euid(p, uid);
+	if (uid != oldcred->cr_uid) {
+		change_euid(newcred, uid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -513,23 +516,31 @@
 	struct proc *p;
 	struct seteuid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register uid_t euid;
 	int error;
 
 	euid = uap->euid;
-	if (euid != pc->p_ruid &&		/* allow seteuid(getuid()) */
-	    euid != pc->p_svuid &&		/* allow seteuid(saved uid) */
-	    (error = suser_xxx(0, p, PRISON_ROOT)))
+	/*
+	 * The new effective uid must equal the current real or saved
+	 * uid.  Appropriate privilege may override this restriction.
+	 */
+	if (euid != oldcred->cr_ruid &&		/* allow seteuid(getuid()) */
+	    euid != oldcred->cr_svuid &&	/* allow seteuid(saved uid) */
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
 		return (error);
+
 	/*
 	 * Everything's okay, do it.  Copy credentials so other references do
 	 * not see our changes.
 	 */
-	if (pc->pc_ucred->cr_uid != euid) {
-		change_euid(p, euid);
+	newcred = crdup(oldcred);
+	if (oldcred->cr_uid != euid) {
+		change_euid(newcred, euid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -544,7 +555,7 @@
 	struct proc *p;
 	struct setgid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register gid_t gid;
 	int error;
 
@@ -560,16 +571,17 @@
 	 * For notes on the logic here, see setuid() above.
 	 */
 	gid = uap->gid;
-	if (gid != pc->p_rgid &&		/* allow setgid(getgid()) */
+	if (gid != oldcred->cr_rgid &&		/* allow setgid(getgid()) */
 #ifdef _POSIX_SAVED_IDS
-	    gid != pc->p_svgid &&		/* allow setgid(saved gid) */
+	    gid != oldcred->cr_svgid &&		/* allow setgid(saved gid) */
 #endif
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
-	    gid != pc->pc_ucred->cr_groups[0] && /* allow setgid(getegid()) */
+	    gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
 #endif
-	    (error = suser_xxx(0, p, PRISON_ROOT)))
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
 		return (error);
 
+	newcred = crdup(oldcred);
 #ifdef _POSIX_SAVED_IDS
 	/*
 	 * Do we have "appropriate privileges" (are we root or gid == egid)
@@ -577,16 +589,16 @@
 	 */
 	if (
 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
-	    gid == pc->pc_ucred->cr_groups[0] ||
+	    gid == oldcred->cr_groups[0] ||
 #endif
-	    suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */
+	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
 		 * Set real gid
 		 */
-		if (pc->p_rgid != gid) {
-			pc->p_rgid = gid;
+		if (oldcred->cr_rgid != gid) {
+			change_rgid(newcred, gid);
 			setsugid(p);
 		}
 		/*
@@ -596,8 +608,8 @@
 		 * the security of setegid() depends on it.  B.4.2.2 says it
 		 * is important that we should do this.
 		 */
-		if (pc->p_svgid != gid) {
-			pc->p_svgid = gid;
+		if (oldcred->cr_svgid != gid) {
+			change_svgid(newcred, gid);
 			setsugid(p);
 		}
 	}
@@ -605,11 +617,12 @@
 	 * In all cases permitted cases, we are changing the egid.
 	 * Copy credentials so other references do not see our changes.
 	 */
-	if (pc->pc_ucred->cr_groups[0] != gid) {
-		pc->pc_ucred = crcopy(pc->pc_ucred);
-		pc->pc_ucred->cr_groups[0] = gid;
+	if (oldcred->cr_groups[0] != gid) {
+		change_egid(newcred, gid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -624,20 +637,27 @@
 	struct proc *p;
 	struct setegid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register gid_t egid;
 	int error;
 
 	egid = uap->egid;
-	if (egid != pc->p_rgid &&		/* allow setegid(getgid()) */
-	    egid != pc->p_svgid &&		/* allow setegid(saved gid) */
-	    (error = suser_xxx(0, p, PRISON_ROOT)))
+	/*
+	 * The new effective gid must be equal to either the current real or
+	 * saved gid.  Appropriate privilege may override this restriction.
+	 */
+	if (egid != oldcred->cr_rgid &&		/* allow setegid(getgid()) */
+	    egid != oldcred->cr_svgid &&	/* allow setegid(saved gid) */
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
 		return (error);
-	if (pc->pc_ucred->cr_groups[0] != egid) {
-		pc->pc_ucred = crcopy(pc->pc_ucred);
-		pc->pc_ucred->cr_groups[0] = egid;
+	
+	newcred = crdup(oldcred);
+	if (oldcred->cr_groups[0] != egid) {
+		change_egid(newcred, egid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -653,11 +673,11 @@
 	struct proc *p;
 	struct setgroups_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register u_int ngrp;
 	int error;
 
-	if ((error = suser_xxx(0, p, PRISON_ROOT)))
+	if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
 		return (error);
 	ngrp = uap->gidsetsize;
 	if (ngrp > NGROUPS)
@@ -666,7 +686,7 @@
 	 * XXX A little bit lazy here.  We could test if anything has
 	 * changed before crcopy() and setting P_SUGID.
 	 */
-	pc->pc_ucred = crcopy(pc->pc_ucred);
+	newcred = crdup(oldcred);
 	if (ngrp < 1) {
 		/*
 		 * setgroups(0, NULL) is a legitimate way of clearing the
@@ -674,14 +694,18 @@
 		 * have the egid in the groups[0]).  We risk security holes
 		 * when running non-BSD software if we do not do the same.
 		 */
-		pc->pc_ucred->cr_ngroups = 1;
+		newcred->cr_ngroups = 1;
 	} else {
 		if ((error = copyin((caddr_t)uap->gidset,
-		    (caddr_t)pc->pc_ucred->cr_groups, ngrp * sizeof(gid_t))))
+		    (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) {
+			crfree(newcred);
 			return (error);
-		pc->pc_ucred->cr_ngroups = ngrp;
+		}
+		newcred->cr_ngroups = ngrp;
 	}
 	setsugid(p);
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -697,31 +721,52 @@
 	register struct proc *p;
 	struct setreuid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register uid_t ruid, euid;
 	int error;
 
 	ruid = uap->ruid;
 	euid = uap->euid;
-	if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) ||
-	     (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid &&
-	     euid != pc->p_ruid && euid != pc->p_svuid)) &&
-	    (error = suser_xxx(0, p, PRISON_ROOT)) != 0)
+	/*
+	 * If an real uid update is requested, the requested real uid must
+	 * be equal to the current real or saved uid.  If an effective uid
+	 * update is requested, the requested euid must be equal to the
+	 * current effective uid, real uid, or saved uid.  Appropriate
+	 * privilege may override these restrictions.
+	 */
+	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
+	      ruid != oldcred->cr_svuid) ||
+	     (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
+	      euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
 		return (error);
 
-	if (euid != (uid_t)-1 && pc->pc_ucred->cr_uid != euid) {
-		change_euid(p, euid);
+	newcred = crdup(oldcred);
+	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
+		change_euid(newcred, euid);
 		setsugid(p);
 	}
-	if (ruid != (uid_t)-1 && pc->p_ruid != ruid) {
-		change_ruid(p, ruid);
+	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
+		change_ruid(newcred, ruid);
 		setsugid(p);
 	}
-	if ((ruid != (uid_t)-1 || pc->pc_ucred->cr_uid != pc->p_ruid) &&
-	    pc->p_svuid != pc->pc_ucred->cr_uid) {
-		pc->p_svuid = pc->pc_ucred->cr_uid;
+	/*
+	 * XXX: What is this intended to accomplish?  In which cases should
+	 * it be looking at the old values, and in which, the new values?
+	 *
+	 * Note current behavior is:
+	 * If the ruid update is requested (even if the ruid is not changed)
+	 * or the euid is not equal to the value of the ruid, a difference
+	 * in the svuid and the euid will result in the svuid being
+	 * updated to the new value of the euid.
+	 */
+	if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
+	    newcred->cr_svuid != newcred->cr_uid) {
+		change_svuid(newcred, newcred->cr_uid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -737,30 +782,49 @@
 	register struct proc *p;
 	struct setregid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register gid_t rgid, egid;
 	int error;
 
 	rgid = uap->rgid;
 	egid = uap->egid;
-	if (((rgid != (gid_t)-1 && rgid != pc->p_rgid && rgid != pc->p_svgid) ||
-	     (egid != (gid_t)-1 && egid != pc->pc_ucred->cr_groups[0] &&
-	     egid != pc->p_rgid && egid != pc->p_svgid)) &&
-	    (error = suser_xxx(0, p, PRISON_ROOT)) != 0)
+	/*
+	 * If a real gid update is requested, the requested real gid must
+	 * be equal to the current real or saved gid.  If an effective gid
+	 * update is requested, the requested effective gid must be equal
+	 * to the current effective gid, the current real gid, or the
+	 * current saved gid.  Apropriate privilege may override this
+	 * restriction.
+	 */
+	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
+	    rgid != oldcred->cr_svgid) ||
+	     (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
+	     egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
 		return (error);
 
-	if (egid != (gid_t)-1 && pc->pc_ucred->cr_groups[0] != egid) {
-		pc->pc_ucred = crcopy(pc->pc_ucred);
-		pc->pc_ucred->cr_groups[0] = egid;
+	newcred = crdup(oldcred);
+	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
+		change_egid(newcred, egid);
 		setsugid(p);
 	}
-	if (rgid != (gid_t)-1 && pc->p_rgid != rgid) {
-		pc->p_rgid = rgid;
+	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
+		change_rgid(newcred, rgid);
 		setsugid(p);
 	}
-	if ((rgid != (gid_t)-1 || pc->pc_ucred->cr_groups[0] != pc->p_rgid) &&
-	    pc->p_svgid != pc->pc_ucred->cr_groups[0]) {
-		pc->p_svgid = pc->pc_ucred->cr_groups[0];
+	/*
+	 * XXX: What is this intended to accomplish?  In which cases should
+	 * it be looking at the old values, and in which, the new values?
+	 *
+	 * Note current behavior is:
+	 * If the rgid update is requested (even if the rgid is not changed)
+	 * or the egid is not equal to the value of the rgid, a difference
+	 * in the svgid and the egid will result in the svuid being
+	 * updated to the new value of the euid.
+	 */
+	if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
+	    newcred->cr_svgid != newcred->cr_groups[0]) {
+		change_svgid(newcred, newcred->cr_groups[0]);
 		setsugid(p);
 	}
 	return (0);
@@ -784,33 +848,40 @@
 	register struct proc *p;
 	struct setresuid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register uid_t ruid, euid, suid;
 	int error;
 
 	ruid = uap->ruid;
 	euid = uap->euid;
 	suid = uap->suid;
-	if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid &&
-	      ruid != pc->pc_ucred->cr_uid) ||
-	     (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid &&
-	      euid != pc->pc_ucred->cr_uid) ||
-	     (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid &&
-	      suid != pc->pc_ucred->cr_uid)) &&
-	    (error = suser_xxx(0, p, PRISON_ROOT)) != 0)
+	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
+	     ruid != oldcred->cr_svuid &&
+	      ruid != oldcred->cr_uid) ||
+	     (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
+	    euid != oldcred->cr_svuid &&
+	      euid != oldcred->cr_uid) ||
+	     (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
+	    suid != oldcred->cr_svuid &&
+	      suid != oldcred->cr_uid)) &&
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
 		return (error);
-	if (euid != (uid_t)-1 && pc->pc_ucred->cr_uid != euid) {
-		change_euid(p, euid);
+
+	newcred = crdup(oldcred);
+	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
+		change_euid(newcred, euid);
 		setsugid(p);
 	}
-	if (ruid != (uid_t)-1 && pc->p_ruid != ruid) {
-		change_ruid(p, ruid);
+	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
+		change_ruid(newcred, ruid);
 		setsugid(p);
 	}
-	if (suid != (uid_t)-1 && pc->p_svuid != suid) {
-		pc->p_svuid = suid;
+	if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
+		change_svuid(newcred, suid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -832,35 +903,40 @@
 	register struct proc *p;
 	struct setresgid_args *uap;
 {
-	register struct pcred *pc = p->p_cred;
+	register struct ucred *oldcred = p->p_ucred, *newcred;
 	register gid_t rgid, egid, sgid;
 	int error;
 
 	rgid = uap->rgid;
 	egid = uap->egid;
 	sgid = uap->sgid;
-	if (((rgid != (gid_t)-1 && rgid != pc->p_rgid && rgid != pc->p_svgid &&
-	      rgid != pc->pc_ucred->cr_groups[0]) ||
-	     (egid != (gid_t)-1 && egid != pc->p_rgid && egid != pc->p_svgid &&
-	      egid != pc->pc_ucred->cr_groups[0]) ||
-	     (sgid != (gid_t)-1 && sgid != pc->p_rgid && sgid != pc->p_svgid &&
-	      sgid != pc->pc_ucred->cr_groups[0])) &&
-	    (error = suser_xxx(0, p, PRISON_ROOT)) != 0)
+	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
+	      rgid != oldcred->cr_svgid &&
+	      rgid != oldcred->cr_groups[0]) ||
+	     (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
+	      egid != oldcred->cr_svgid &&
+	      egid != oldcred->cr_groups[0]) ||
+	     (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
+	      sgid != oldcred->cr_svgid &&
+	      sgid != oldcred->cr_groups[0])) &&
+	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
 		return (error);
 
-	if (egid != (gid_t)-1 && pc->pc_ucred->cr_groups[0] != egid) {
-		pc->pc_ucred = crcopy(pc->pc_ucred);
-		pc->pc_ucred->cr_groups[0] = egid;
+	newcred = crdup(oldcred);
+	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
+		change_egid(newcred, egid);
 		setsugid(p);
 	}
-	if (rgid != (gid_t)-1 && pc->p_rgid != rgid) {
-		pc->p_rgid = rgid;
+	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
+		change_rgid(newcred, rgid);
 		setsugid(p);
 	}
-	if (sgid != (gid_t)-1 && pc->p_svgid != sgid) {
-		pc->p_svgid = sgid;
+	if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
+		change_svgid(newcred, sgid);
 		setsugid(p);
 	}
+	p->p_ucred = newcred;
+	crfree(oldcred);
 	return (0);
 }
 
@@ -877,18 +953,18 @@
 	register struct proc *p;
 	struct getresuid_args *uap;
 {
-	struct pcred *pc = p->p_cred;
+	struct ucred *cred = p->p_ucred;
 	int error1 = 0, error2 = 0, error3 = 0;
 
 	if (uap->ruid)
-		error1 = copyout((caddr_t)&pc->p_ruid,
-		    (caddr_t)uap->ruid, sizeof(pc->p_ruid));
+		error1 = copyout((caddr_t)&cred->cr_ruid,
+		    (caddr_t)uap->ruid, sizeof(cred->cr_ruid));
 	if (uap->euid)
-		error2 = copyout((caddr_t)&pc->pc_ucred->cr_uid,
-		    (caddr_t)uap->euid, sizeof(pc->pc_ucred->cr_uid));
+		error2 = copyout((caddr_t)&cred->cr_uid,
+		    (caddr_t)uap->euid, sizeof(cred->cr_uid));
 	if (uap->suid)
-		error3 = copyout((caddr_t)&pc->p_svuid,
-		    (caddr_t)uap->suid, sizeof(pc->p_svuid));
+		error3 = copyout((caddr_t)&cred->cr_svuid,
+		    (caddr_t)uap->suid, sizeof(cred->cr_svuid));
 	return error1 ? error1 : (error2 ? error2 : error3);
 }
 
@@ -905,18 +981,18 @@
 	register struct proc *p;
 	struct getresgid_args *uap;
 {
-	struct pcred *pc = p->p_cred;
+	struct ucred *cred = p->p_ucred;
 	int error1 = 0, error2 = 0, error3 = 0;
 
 	if (uap->rgid)
-		error1 = copyout((caddr_t)&pc->p_rgid,
-		    (caddr_t)uap->rgid, sizeof(pc->p_rgid));
+		error1 = copyout((caddr_t)&cred->cr_rgid,
+		    (caddr_t)uap->rgid, sizeof(cred->cr_rgid));
 	if (uap->egid)
-		error2 = copyout((caddr_t)&pc->pc_ucred->cr_groups[0],
-		    (caddr_t)uap->egid, sizeof(pc->pc_ucred->cr_groups[0]));
+		error2 = copyout((caddr_t)&cred->cr_groups[0],
+		    (caddr_t)uap->egid, sizeof(cred->cr_groups[0]));
 	if (uap->sgid)
-		error3 = copyout((caddr_t)&pc->p_svgid,
-		    (caddr_t)uap->sgid, sizeof(pc->p_svgid));
+		error3 = copyout((caddr_t)&cred->cr_svgid,
+		    (caddr_t)uap->sgid, sizeof(cred->cr_svgid));
 	return error1 ? error1 : (error2 ? error2 : error3);
 }
 
@@ -1113,10 +1189,10 @@
 	 * Generally, the object credential's ruid or svuid must match the
 	 * subject credential's ruid or euid.
 	 */
-	if (p1->p_cred->p_ruid != p2->p_cred->p_ruid &&
-	    p1->p_cred->p_ruid != p2->p_cred->p_svuid &&
-	    p1->p_ucred->cr_uid != p2->p_cred->p_ruid &&
-	    p1->p_ucred->cr_uid != p2->p_cred->p_svuid) {
+	if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid &&
+	    p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid &&
+	    p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid &&
+	    p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) {
 		/* Not permitted, try privilege. */
 		error = suser_xxx(NULL, p1, PRISON_ROOT);
 		if (error)
@@ -1140,9 +1216,9 @@
 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
 		return (error);
 
-	if (p1->p_cred->p_ruid == p2->p_cred->p_ruid)
+	if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid)
 		return (0);
-	if (p1->p_ucred->cr_uid == p2->p_cred->p_ruid)
+	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
 		return (0);
 
 	if (!suser_xxx(0, p1, PRISON_ROOT)) {
@@ -1178,9 +1254,9 @@
 
 	/* not owned by you, has done setuid (unless you're root) */
 	/* add a CAP_SYS_PTRACE here? */
-	if (p1->p_cred->pc_ucred->cr_uid != p2->p_cred->p_ruid ||
-	    p1->p_cred->p_ruid != p2->p_cred->p_ruid ||
-	    p1->p_cred->p_svuid != p2->p_cred->p_ruid ||
+	if (p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid ||
+	    p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid ||
+	    p1->p_ucred->cr_svuid != p2->p_ucred->cr_ruid ||
 	    p2->p_flag & P_SUGID) {
 		if ((error = suser_xxx(0, p1, PRISON_ROOT)))
 			return (error);
@@ -1308,6 +1384,7 @@
 	*newcr = *cr;
 	mtx_init(&newcr->cr_mtx, "ucred", MTX_DEF);
 	uihold(newcr->cr_uidinfo);
+	uihold(newcr->cr_ruidinfo);
 	if (jailed(newcr))
 		prison_hold(newcr->cr_prison);
 	newcr->cr_ref = 1;
@@ -1375,48 +1452,123 @@
 }
 
 /*
- * Helper function to change the effective uid of a process
+ * change_euid(): Change a process's effective uid.
+ * Arguments: struct ucred *newcred, uid_t euid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
  */
 void
-change_euid(p, euid)
-	struct	proc *p;
-	uid_t	euid;
+change_euid(newcred, euid)
+	struct ucred *newcred;
+	uid_t euid;
 {
-	struct	pcred *pc;
-	struct	uidinfo *uip;
 
-	pc = p->p_cred;
-	/*
-	 * crcopy is essentially a NOP if ucred has a reference count
-	 * of 1, which is true if it has already been copied.
-	 */
-	pc->pc_ucred = crcopy(pc->pc_ucred);
-	uip = pc->pc_ucred->cr_uidinfo;
-	pc->pc_ucred->cr_uid = euid;
-	pc->pc_ucred->cr_uidinfo = uifind(euid);
-	uifree(uip);
+	newcred->cr_uid = euid;
+	uifree(newcred->cr_uidinfo);
+	newcred->cr_uidinfo = uifind(euid);
 }
 
 /*
- * Helper function to change the real uid of a process
- *
- * The per-uid process count for this process is transfered from
- * the old uid to the new uid.
+ * change_egid(): Change a process's effective gid.
+ * Arguments: struct ucred *newcred, gid_t egid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_gid will be modified.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
  */
 void
-change_ruid(p, ruid)
-	struct	proc *p;
-	uid_t	ruid;
+change_egid(newcred, egid)
+	struct ucred *newcred;
+	gid_t egid;
+{
+
+	newcred->cr_groups[0] = egid;
+}
+
+/*
+ * change_ruid(): Change a process's real uid.
+ * Arguments: struct ucred *newcred, uid_t ruid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
+ *               will be updated, and the old and new cr_ruidinfo proc
+ *               counts will be updated.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
+ */
+void
+change_ruid(newcred, ruid)
+	struct ucred *newcred;
+	uid_t ruid;
+{
+
+	(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
+	newcred->cr_ruid = ruid;
+	uifree(newcred->cr_ruidinfo);
+	newcred->cr_ruidinfo = uifind(ruid);
+	(void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
+}
+
+/*
+ * change_rgid(): Change a process's real gid.
+ * Arguments: struct ucred *newcred, gid_t rgid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_rgid will be updated.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
+ */
+void
+change_rgid(newcred, rgid)
+	struct ucred *newcred;
+	gid_t rgid;
+{
+
+	newcred->cr_rgid = rgid;
+}
+
+/*
+ * change_svuid(): Change a process's saved uid.
+ * Arguments: struct ucred *newcred, uid_t svuid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_svuid will be updated.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
+ */
+void
+change_svuid(newcred, svuid)
+	struct ucred *newcred;
+	uid_t svuid;
+{
+
+	newcred->cr_svuid = svuid;
+}
+
+/*
+ * change_svgid(): Change a process's saved gid.
+ * Arguments: struct ucred *newcred, gid_t svgid
+ * Returns: none
+ * Locks: none
+ * Side effects: newcred->cr_svgid will be updated.
+ * References: newcred must be an exclusive credential reference for the
+ *             duration of the call.
+ * Notes: none
+ */
+void
+change_svgid(newcred, svgid)
+	struct ucred *newcred;
+	gid_t svgid;
 {
-	struct	pcred *pc;
-	struct	uidinfo *uip;
 
-	pc = p->p_cred;
-	(void)chgproccnt(pc->p_uidinfo, -1, 0);
-	uip = pc->p_uidinfo;
-	/* It is assumed that pcred is not shared between processes */
-	pc->p_ruid = ruid;
-	pc->p_uidinfo = uifind(ruid);
-	(void)chgproccnt(pc->p_uidinfo, 1, 0);
-	uifree(uip);
+	newcred->cr_svgid = svgid;
 }
Index: kern/kern_sig.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_sig.c,v
retrieving revision 1.118
diff -u -r1.118 kern_sig.c
--- kern/kern_sig.c	2001/05/07 18:07:29	1.118
+++ kern/kern_sig.c	2001/05/09 17:22:58
@@ -98,14 +98,14 @@
     "Log processes quitting on abnormal signals to syslog(3)");
 
 /*
- * Policy -- Can real uid ruid with ucred uc send a signal to process q?
+ * Policy -- Can ucred cr1 send SIGIO to process cr2?
  */
-#define CANSIGIO(ruid, uc, q) \
-	((uc)->cr_uid == 0 || \
-	    (ruid) == (q)->p_cred->p_ruid || \
-	    (uc)->cr_uid == (q)->p_cred->p_ruid || \
-	    (ruid) == (q)->p_ucred->cr_uid || \
-	    (uc)->cr_uid == (q)->p_ucred->cr_uid)
+#define CANSIGIO(cr1, cr2) \
+	((cr1)->cr_uid == 0 || \
+	    (cr2)->cr_ruid == (cr2)->cr_ruid || \
+	    (cr2)->cr_uid == (cr2)->cr_ruid || \
+	    (cr2)->cr_ruid == (cr2)->cr_uid || \
+	    (cr2)->cr_uid == (cr2)->cr_uid)
 
 int sugid_coredump;
 SYSCTL_INT(_kern, OID_AUTO, sugid_coredump, CTLFLAG_RW, 
@@ -1610,8 +1610,8 @@
 {
 	CTR3(KTR_PROC, "killproc: proc %p (pid %d, %s)",
 		p, p->p_pid, p->p_comm);
-	log(LOG_ERR, "pid %d (%s), uid %d, was killed: %s\n", p->p_pid, p->p_comm,
-		p->p_cred && p->p_ucred ? p->p_ucred->cr_uid : -1, why);
+	log(LOG_ERR, "pid %d (%s), uid %d, was killed: %s\n", p->p_pid,
+	    p->p_comm, p->p_ucred ? p->p_ucred->cr_uid : -1, why);
 	PROC_LOCK(p);
 	psignal(p, SIGKILL);
 	PROC_UNLOCK(p);
@@ -1650,7 +1650,7 @@
 			log(LOG_INFO,
 			    "pid %d (%s), uid %d: exited on signal %d%s\n",
 			    p->p_pid, p->p_comm,
-			    p->p_cred && p->p_ucred ? p->p_ucred->cr_uid : -1,
+			    p->p_ucred ? p->p_ucred->cr_uid : -1,
 			    sig &~ WCOREFLAG,
 			    sig & WCOREFLAG ? " (core dumped)" : "");
 	} else {
@@ -1870,8 +1870,7 @@
 		
 	if (sigio->sio_pgid > 0) {
 		PROC_LOCK(sigio->sio_proc);
-		if (CANSIGIO(sigio->sio_ruid, sigio->sio_ucred,
-		             sigio->sio_proc))
+		if (CANSIGIO(sigio->sio_ucred, sigio->sio_proc->p_ucred))
 			psignal(sigio->sio_proc, sig);
 		PROC_UNLOCK(sigio->sio_proc);
 	} else if (sigio->sio_pgid < 0) {
@@ -1879,7 +1878,7 @@
 
 		LIST_FOREACH(p, &sigio->sio_pgrp->pg_members, p_pglist) {
 			PROC_LOCK(p);
-			if (CANSIGIO(sigio->sio_ruid, sigio->sio_ucred, p) &&
+			if (CANSIGIO(sigio->sio_ucred, p->p_ucred) &&
 			    (checkctty == 0 || (p->p_flag & P_CONTROLT)))
 				psignal(p, sig);
 			PROC_UNLOCK(p);
Index: kern/uipc_usrreq.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.65
diff -u -r1.65 uipc_usrreq.c
--- kern/uipc_usrreq.c	2001/05/01 08:12:59	1.65
+++ kern/uipc_usrreq.c	2001/05/09 17:22:59
@@ -988,8 +988,8 @@
 	if (cm->cmsg_type == SCM_CREDS) {
 		cmcred = (struct cmsgcred *)(cm + 1);
 		cmcred->cmcred_pid = p->p_pid;
-		cmcred->cmcred_uid = p->p_cred->p_ruid;
-		cmcred->cmcred_gid = p->p_cred->p_rgid;
+		cmcred->cmcred_uid = p->p_ucred->cr_ruid;
+		cmcred->cmcred_gid = p->p_ucred->cr_rgid;
 		cmcred->cmcred_euid = p->p_ucred->cr_uid;
 		cmcred->cmcred_ngroups = MIN(p->p_ucred->cr_ngroups,
 							CMGROUP_MAX);
Index: kern/vfs_syscalls.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.189
diff -u -r1.189 vfs_syscalls.c
--- kern/vfs_syscalls.c	2001/04/29 02:44:49	1.189
+++ kern/vfs_syscalls.c	2001/05/09 17:23:02
@@ -1711,8 +1711,8 @@
 	 * rather than to modify the potentially shared process structure.
 	 */
 	tmpcred = crdup(cred);
-	tmpcred->cr_uid = p->p_cred->p_ruid;
-	tmpcred->cr_groups[0] = p->p_cred->p_rgid;
+	tmpcred->cr_uid = cred->cr_ruid;
+	tmpcred->cr_groups[0] = cred->cr_rgid;
 	p->p_ucred = tmpcred;
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE,
 	    SCARG(uap, path), p);
@@ -3799,7 +3799,7 @@
 	}
 	cnt = auio.uio_resid;
 	error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio,
-	    p->p_cred->pc_ucred, p);
+	    p->p_ucred, p);
 	cnt -= auio.uio_resid;
 	p->p_retval[0] = cnt;
 done:
@@ -3912,7 +3912,7 @@
 	}
 	cnt = auio.uio_resid;
 	error = VOP_GETEXTATTR(vp, attrnamespace, attrname, &auio,
-	    p->p_cred->pc_ucred, p);
+	    p->p_ucred, p);
 	cnt -= auio.uio_resid;
 	p->p_retval[0] = cnt;
 done:
@@ -3995,7 +3995,7 @@
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 
 	error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL,
-	    p->p_cred->pc_ucred, p);
+	    p->p_ucred, p);
 
 	VOP_UNLOCK(vp, 0, p);
 	vn_finished_write(mp);
Index: miscfs/procfs/procfs_status.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_status.c,v
retrieving revision 1.29
diff -u -r1.29 procfs_status.c
--- miscfs/procfs/procfs_status.c	2001/05/01 08:13:09	1.29
+++ miscfs/procfs/procfs_status.c	2001/05/09 17:23:02
@@ -153,11 +153,11 @@
 
 	ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %lu %lu %lu", 
 		(u_long)cr->cr_uid,
-		(u_long)p->p_cred->p_ruid,
-		(u_long)p->p_cred->p_rgid);
+		(u_long)cr->cr_ruid,
+		(u_long)cr->cr_rgid);
 	DOCHECK();
 
-	/* egid (p->p_cred->p_svgid) is equal to cr_ngroups[0] 
+	/* egid (cr->cr_svgid) is equal to cr_ngroups[0] 
 	   see also getegid(2) in /sys/kern/kern_prot.c */
 
 	for (i = 0; i < cr->cr_ngroups; i++) {
Index: miscfs/procfs/procfs_vnops.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_vnops.c,v
retrieving revision 1.95
diff -u -r1.95 procfs_vnops.c
--- miscfs/procfs/procfs_vnops.c	2001/05/01 08:13:09	1.95
+++ miscfs/procfs/procfs_vnops.c	2001/05/09 17:23:04
@@ -404,7 +404,7 @@
 		procp = PFIND(pfs->pfs_pid);
 		if (procp == NULL)
 			return (ENOENT);
-		if (procp->p_cred == NULL || procp->p_ucred == NULL) {
+		if (procp->p_ucred == NULL) {
 			PROC_UNLOCK(procp);
 			return (ENOENT);
 		}
@@ -942,8 +942,7 @@
 	 */
 	case Pfile:
 		procp = PFIND(pfs->pfs_pid);
-		if (procp == NULL || procp->p_cred == NULL ||
-		    procp->p_ucred == NULL) {
+		if (procp == NULL || procp->p_ucred == NULL) {
 			if (procp != NULL)
 				PROC_UNLOCK(procp);
 			printf("procfs_readlink: pid %d disappeared\n",
Index: nfs/nfs_lock.c
===================================================================
RCS file: /home/ncvs/src/sys/nfs/nfs_lock.c,v
retrieving revision 1.4
diff -u -r1.4 nfs_lock.c
--- nfs/nfs_lock.c	2001/05/01 08:13:14	1.4
+++ nfs/nfs_lock.c	2001/05/09 17:23:21
@@ -236,9 +236,11 @@
 
 	/* Let root, or someone who once was root (lockd generally
 	 * switches to the daemon uid once it is done setting up) make 
-	 * this call
+	 * this call.
+	 *
+	 * XXX
 	 */
-	if ((error = suser(p)) != 0 && p->p_cred->p_svuid != 0)
+	if ((error = suser(p)) != 0 && p->p_ucred->cr_svuid != 0)
 		return (error);
 
 	/* the version should match, or we're out of sync */
Index: posix4/p1003_1b.c
===================================================================
RCS file: /home/ncvs/src/sys/posix4/p1003_1b.c,v
retrieving revision 1.9
diff -u -r1.9 p1003_1b.c
--- posix4/p1003_1b.c	2001/05/06 16:15:42	1.9
+++ posix4/p1003_1b.c	2001/05/09 17:23:21
@@ -68,16 +68,17 @@
 /*
  * This is stolen from CANSIGNAL in kern_sig:
  *
- * Can process p, with pcred pc, do "write flavor" operations to process q?
+ * Can process with credential cr1 do "write flavor" operations to credential
+ * cr2.  This check needs to use generalized checks.
  */
-#define CAN_AFFECT(p, q) \
-	(!suser_xxx(NULL, p, PRISON_ROOT) || \
-	    (p)->p_cred->pc_ruid == (q)->p_cred->p_ruid || \
-	    (p)->p_ucred->cr_uid == (q)->p_cred->p_ruid || \
-	    (p)->p_cred->pc_ruid == (q)->p_ucred->cr_uid || \
-	    (p)->p_ucred->cr_uid == (q)->p_ucred->cr_uid)
+#define CAN_AFFECT(cr1, cr2) \
+	(!suser_xxx(cr1, NULL, PRISON_ROOT) || \
+	    (c1)->cr_ruid == (cr2)->cr_ruid || \
+	    (c1)->cr_uid == (cr2)->cr_ruid || \
+	    (c1)->cr_ruid == (cr2)->cr_uid || \
+	    (c1)->cr_uid == (cr2)->cr_uid)
 #else
-#define CAN_AFFECT(p, q) (!suser_xxx(NULL, p, PRISON_ROOT))
+#define CAN_AFFECT(cr1, cr2) (!suser_xxx(cr1, NULL, PRISON_ROOT))
 #endif
 
 /*
@@ -99,7 +100,7 @@
 	{
 		/* Enforce permission policy.
 		 */
-		if (CAN_AFFECT(p, other_proc))
+		if (CAN_AFFECT(p->p_ucred, other_proc->p_ucred))
 			*pp = other_proc;
 		else
 			ret = EPERM;
Index: sys/filedesc.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/filedesc.h,v
retrieving revision 1.26
diff -u -r1.26 filedesc.h
--- sys/filedesc.h	2000/11/18 21:01:04	1.26
+++ sys/filedesc.h	2001/05/09 17:23:22
@@ -117,7 +117,6 @@
 	struct	sigio **sio_myref;	/* location of the pointer that holds
 					 * the reference to this structure */
 	struct	ucred *sio_ucred;	/* current credentials */
-	uid_t	sio_ruid;		/* real user id */
 	pid_t	sio_pgid;		/* pgid for signals */
 };
 #define	sio_proc	sio_u.siu_proc
Index: sys/proc.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/proc.h,v
retrieving revision 1.161
diff -u -r1.161 proc.h
--- sys/proc.h	2001/04/27 19:28:25	1.161
+++ sys/proc.h	2001/05/09 17:23:22
@@ -156,7 +156,7 @@
 	LIST_ENTRY(proc) p_list;	/* (d) List of all processes. */
 
 	/* substructures: */
-	struct	pcred *p_cred;		/* (c + k) Process owner's identity. */
+	struct	ucred *p_ucred;		/* (c + k) Process owner's identity. */
 	struct	filedesc *p_fd;		/* (b) Ptr to open files structure. */
 	struct	pstats *p_stats;	/* (b) Accounting/statistics (CPU). */
 	struct	plimit *p_limit;	/* (m) Process limits. */
@@ -166,7 +166,6 @@
 #define	p_sigignore	p_procsig->ps_sigignore
 #define	p_sigcatch	p_procsig->ps_sigcatch
 
-#define	p_ucred		p_cred->pc_ucred
 #define	p_rlimit	p_limit->pl_rlimit
 
 	int	p_flag;			/* (c) P_* flags. */
@@ -336,23 +335,6 @@
 #define	P_CAN_SEE	1
 #define	P_CAN_SCHED	3
 #define	P_CAN_DEBUG	4
-
-/*
- * MOVE TO ucred.h?
- *
- * Shareable process credentials (always resident).  This includes a reference
- * to the current user credentials as well as real and saved ids that may be
- * used to change ids.
- */
-struct	pcred {
-	struct	ucred *pc_ucred;	/* Current credentials. */
-	uid_t	p_ruid;			/* Real user id. */
-	uid_t	p_svuid;		/* Saved effective user id. */
-	gid_t	p_rgid;			/* Real group id. */
-	gid_t	p_svgid;		/* Saved effective group id. */
-	int	p_refcnt;		/* Number of references. */
-	struct	uidinfo *p_uidinfo;	/* Per uid resource consumption. */
-};
 
 #ifdef _KERNEL
 
Index: sys/ucred.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/ucred.h,v
retrieving revision 1.23
diff -u -r1.23 ucred.h
--- sys/ucred.h	2001/05/01 08:13:18	1.23
+++ sys/ucred.h	2001/05/09 17:23:23
@@ -50,9 +50,14 @@
 struct ucred {
 	u_int	cr_ref;			/* reference count */
 	uid_t	cr_uid;			/* effective user id */
+	uid_t	cr_ruid;		/* real user id */
+	uid_t	cr_svuid;		/* saved user id */
 	short	cr_ngroups;		/* number of groups */
 	gid_t	cr_groups[NGROUPS];	/* groups */
-	struct	uidinfo *cr_uidinfo;	/* per uid resource consumption */
+	gid_t	cr_rgid;		/* real group id */
+	gid_t	cr_svgid;		/* saved user id */
+	struct	uidinfo *cr_uidinfo;	/* per euid resource consumption */
+	struct	uidinfo *cr_ruidinfo;	/* per ruid resource consumption */
 	struct	prison *cr_prison;	/* jail(4) */
 	struct	mtx cr_mtx;		/* protect refcount */
 };
@@ -77,8 +82,12 @@
 
 struct proc;
 
-void		change_euid __P((struct proc *p, uid_t euid));
-void		change_ruid __P((struct proc *p, uid_t ruid));
+void		change_euid __P((struct ucred *newcred, uid_t euid));
+void		change_egid __P((struct ucred *newcred, gid_t egid));
+void		change_ruid __P((struct ucred *newcred, uid_t ruid));
+void		change_rgid __P((struct ucred *newcred, uid_t rgid));
+void		change_svuid __P((struct ucred *newcred, uid_t svuid));
+void		change_svgid __P((struct ucred *newcred, gid_t svgid));
 struct ucred	*crcopy __P((struct ucred *cr));
 struct ucred	*crdup __P((struct ucred *cr));
 void		crfree __P((struct ucred *cr));
Index: ufs/ufs/ufs_extattr.c
===================================================================
RCS file: /home/ncvs/src/sys/ufs/ufs/ufs_extattr.c,v
retrieving revision 1.31
diff -u -r1.31 ufs_extattr.c
--- ufs/ufs/ufs_extattr.c	2001/04/29 02:45:28	1.31
+++ ufs/ufs/ufs_extattr.c	2001/05/09 17:23:23
@@ -621,7 +621,7 @@
 	auio.uio_rw = UIO_READ;
 	auio.uio_procp = (struct proc *) p;
 
-	VOP_LEASE(backing_vnode, p, p->p_cred->pc_ucred, LEASE_WRITE);
+	VOP_LEASE(backing_vnode, p, p->p_ucred, LEASE_WRITE);
 	vn_lock(backing_vnode, LK_SHARED | LK_NOPAUSE | LK_RETRY, p);
 	error = VOP_READ(backing_vnode, &auio, IO_NODELOCKED,
 	    ump->um_extattr.uepm_ucred);
@@ -702,7 +702,7 @@
 	 * Processes with privilege, but in jail, are not allowed to
 	 * configure extended attributes.
 	 */
-	if ((error = suser_xxx(p->p_cred->pc_ucred, p, 0))) {
+	if ((error = suser_xxx(p->p_ucred, p, 0))) {
 		if (filename_vp != NULL)
 			VOP_UNLOCK(filename_vp, 0, p);
 		return (error);
Index: ufs/ufs/ufs_vfsops.c
===================================================================
RCS file: /home/ncvs/src/sys/ufs/ufs/ufs_vfsops.c,v
retrieving revision 1.24
diff -u -r1.24 ufs_vfsops.c
--- ufs/ufs/ufs_vfsops.c	2001/05/01 08:13:19	1.24
+++ ufs/ufs/ufs_vfsops.c	2001/05/09 17:23:24
@@ -108,14 +108,14 @@
 	int cmd, type, error;
 
 	if (uid == -1)
-		uid = p->p_cred->p_ruid;
+		uid = p->p_ucred->cr_ruid;
 	cmd = cmds >> SUBCMDSHIFT;
 
 	switch (cmd) {
 	case Q_SYNC:
 		break;
 	case Q_GETQUOTA:
-		if (uid == p->p_cred->p_ruid)
+		if (uid == p->p_ucred->cr_ruid)
 			break;
 		/* fall through */
 	default:



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010509132551.11741x-100000>