add :SETUID security notes

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
author: Sean Whitton <spwhitton@spwhitton.name> 2021-08-14 12:08:30 -0700
committer: Sean Whitton <spwhitton@spwhitton.name> 2021-09-09 11:19:43 -0700
commit: 0439c72e019e2b879dece404fc455a5e91e738ae (patch)
tree: 57d05de365e3f486546476d469b0c64053bb3bde /doc
parent: 3e4a8149efbf7d6515ec6ac542ee8882320763d0 (diff)
download: consfigurator-0439c72e019e2b879dece404fc455a5e91e738ae.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/connections.rst b/doc/connections.rst
index 6e20500..9205bbd 100644
--- a/doc/connections.rst
+++ b/doc/connections.rst
@@ -114,6 +114,17 @@ in that saved image.  Typically a ``:SUDO`` connection hop is used before hops
 which start up remote Lisp images, so these issues will not arise for most
 users.
 
+``:SETUID``
+~~~~~~~~~~~
+
+As this connection type subclasses FORK-CONNECTION, it shouldn't leak
+root-accessible secrets to a process running under the unprivileged UID.
+However, when using the :AS connection type, the unprivileged process will
+have access to all the hostattrs of the host.  Potentially, something like
+ptrace(2) could be used to extract those.  But hostattrs should not normally
+contain any secrets, and at least on Linux, the unprivileged process will not
+be ptraceable because it was once privileged.
+
 Connections which fork: ``:CHROOT.FORK``, ``:SETUID``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	Sean Whitton <spwhitton@spwhitton.name>	2021-08-14 12:08:30 -0700
committer	Sean Whitton <spwhitton@spwhitton.name>	2021-09-09 11:19:43 -0700
commit	0439c72e019e2b879dece404fc455a5e91e738ae (patch)
tree	57d05de365e3f486546476d469b0c64053bb3bde /doc
parent	3e4a8149efbf7d6515ec6ac542ee8882320763d0 (diff)
download	consfigurator-0439c72e019e2b879dece404fc455a5e91e738ae.tar.gz