From 0439c72e019e2b879dece404fc455a5e91e738ae Mon Sep 17 00:00:00 2001
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Sat, 14 Aug 2021 12:08:30 -0700
Subject: add :SETUID security notes

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
---
 doc/connections.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'doc')

diff --git a/doc/connections.rst b/doc/connections.rst
index 6e20500..9205bbd 100644
--- a/doc/connections.rst
+++ b/doc/connections.rst
@@ -114,6 +114,17 @@ in that saved image.  Typically a ``:SUDO`` connection hop is used before hops
 which start up remote Lisp images, so these issues will not arise for most
 users.
 
+``:SETUID``
+~~~~~~~~~~~
+
+As this connection type subclasses FORK-CONNECTION, it shouldn't leak
+root-accessible secrets to a process running under the unprivileged UID.
+However, when using the :AS connection type, the unprivileged process will
+have access to all the hostattrs of the host.  Potentially, something like
+ptrace(2) could be used to extract those.  But hostattrs should not normally
+contain any secrets, and at least on Linux, the unprivileged process will not
+be ptraceable because it was once privileged.
+
 Connections which fork: ``:CHROOT.FORK``, ``:SETUID``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3