diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-08-14 12:08:30 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-09-09 11:19:43 -0700 |
commit | 0439c72e019e2b879dece404fc455a5e91e738ae (patch) | |
tree | 57d05de365e3f486546476d469b0c64053bb3bde /doc | |
parent | 3e4a8149efbf7d6515ec6ac542ee8882320763d0 (diff) | |
download | consfigurator-0439c72e019e2b879dece404fc455a5e91e738ae.tar.gz |
add :SETUID security notes
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/connections.rst | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/connections.rst b/doc/connections.rst index 6e20500..9205bbd 100644 --- a/doc/connections.rst +++ b/doc/connections.rst @@ -114,6 +114,17 @@ in that saved image. Typically a ``:SUDO`` connection hop is used before hops which start up remote Lisp images, so these issues will not arise for most users. +``:SETUID`` +~~~~~~~~~~~ + +As this connection type subclasses FORK-CONNECTION, it shouldn't leak +root-accessible secrets to a process running under the unprivileged UID. +However, when using the :AS connection type, the unprivileged process will +have access to all the hostattrs of the host. Potentially, something like +ptrace(2) could be used to extract those. But hostattrs should not normally +contain any secrets, and at least on Linux, the unprivileged process will not +be ptraceable because it was once privileged. + Connections which fork: ``:CHROOT.FORK``, ``:SETUID`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |