Index: ucred.9
===================================================================
RCS file: /home/ncvs/src/share/man/man9/ucred.9,v
retrieving revision 1.6
diff -u -r1.6 ucred.9
--- ucred.9	8 Jul 2002 07:34:46 -0000	1.6
+++ ucred.9	8 Jul 2002 13:41:48 -0000
@@ -144,16 +144,30 @@
 returns 0 if the credential has a reference count greater than 1;
 otherwise, 1 is returned.
 .Sh USAGE NOTES
-In general in a system call, 
-you should always use the 
-.Vt ucred
-associated with the 
-thread doing the work rather than that of the process attached to it,
-As that associated with the thread is guaranteed to be safely accessed
-under SMP, and will remain stable for the duration of the call, even
-in the face of a multithreaded application changing the process credentials
-from another thread.
-.Sh SEE ALSO
+In the common case, credentials are accessed in a read-only manner for
+access control.
+In general, under those circumstances, the thread credential should be
+used, as it requires no locking to access safely, and remains stable
+for the duration of the call, even in the face of a multi-threaded
+application changing the process credentials from another thread.
+However, the process credentials must be used, with appropriate process
+locking during both check and update, to authorize any process credential
+modification.
+.Pp
+If a process credential is updated during a system call and later checks
+against the thread credential are to be made during the same system call,
+the thread credential must also be refreshed from the process credential
+so as to prevent use of a stale value.
+.Pp
+If temporarily elevated privileges are required for a thread, the thread
+credential can by replaced for the duration of an activity, and then be
+restored; however, as a thread credential is often shared, the API above
+should be used to copy and update the credential.
+As a result of this potential temporary elevation, the thread credential
+should
+.Em never
+be used as the object credential in an access control decision: the process
+credential associated with the thread should instead be used.
 .Xr uihold 9
 .Sh AUTHORS
 This man page was written by