KEYCTL_SETPERM
Section: Linux Key Management Calls (3)
Updated: 4 May 2006
Index
Return to Main Contents
NAME
keyctl_setperm - Change the permissions mask on a key
SYNOPSIS
#include <keyutils.h>
long keyctl_setperm(key_serial_t key, key_perm_t perm);
DESCRIPTION
keyctl_setperm()
changes the permissions mask on a key.
A process that does not have the
SysAdmin
capability may not change the permissions mask on a key that doesn't have the
same UID as the caller.
The caller must have
setattr
permission on a key to be able change its permissions mask.
The permissions mask is a bitwise-OR of the following flags:
- KEY_xxx_VIEW
-
Grant permission to view the attributes of a key.
- KEY_xxx_READ
-
Grant permission to read the payload of a key or to list a keyring.
- KEY_xxx_WRITE
-
Grant permission to modify the payload of a key or to add or remove links
to/from a keyring.
- KEY_xxx_SEARCH
-
Grant permission to find a key or to search a keyring.
- KEY_xxx_LINK
-
Grant permission to make links to a key.
- KEY_xxx_SETATTR
-
Grant permission to change the ownership and permissions attributes of a key.
- KEY_xxx_ALL
-
Grant all the above.
The
'xxx'
in the above should be replaced by one of:
- POS
-
Grant the permission to a process that possesses the key (has it attached
searchably to one of the process's keyrings).
- USR
-
Grant the permission to a process with the same UID as the key.
- GRP
-
Grant the permission to a process with the same GID as the key, or with a
match for the key's GID amongst that process's Groups list.
- OTH
-
Grant the permission to any other process.
Examples include:
KEY_POS_VIEW, KEY_USR_READ, KEY_GRP_SEARCH and KEY_OTH_ALL.
User, group and other grants are exclusive: if a process qualifies in
the 'user' category, it will not qualify in the 'groups' category; and if a
process qualifies in either 'user' or 'groups' then it will not qualify in
the 'other' category.
Possessor grants are cumulative with the grants from the 'user', 'groups'
and 'other' categories.
RETURN VALUE
On success
keyctl_setperm()
returns
0 .
On error, the value
-1
will be returned and errno will have been set to an appropriate error.
ERRORS
- ENOKEY
-
The specied key does not exist.
- EKEYEXPIRED
-
The specified key has expired.
- EKEYREVOKED
-
The specified key has been revoked.
- EACCES
-
The named key exists, but does not grant
setattr
permission to the calling process.
LINKING
This is a library function that can be found in
libkeyutils.
When linking,
-lkeyutils
should be specified to the linker.
SEE ALSO
keyctl(1),
add_key(2),
keyctl(2),
request_key(2),
keyctl_get_keyring_ID(3),
keyctl_join_session_keyring(3),
keyctl_update(3),
keyctl_revoke(3),
keyctl_chown(3),
keyctl_describe(3),
keyctl_clear(3),
keyctl_link(3),
keyctl_unlink(3),
keyctl_search(3),
keyctl_read(3),
keyctl_instantiate(3),
keyctl_negate(3),
keyctl_set_reqkey_keyring(3),
keyctl_set_timeout(3),
keyctl_assume_authority(3),
keyctl_describe_alloc(3),
keyctl_read_alloc(3),
request-key(8)