From: Daniel Stenberg Date: Mon, 26 Apr 2021 09:15:55 +0000 (+0200) Subject: libcurl-security.3: be careful of setuid X-Git-Tag: curl-7_77_0~122 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2e23f3b8d54c6e4e568f019b2f66bfd9f9bac7a2;p=thirdparty%2Fcurl.git libcurl-security.3: be careful of setuid Reported-by: Harry Sintonen Closes #6970 --- diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3 index b4907ac22a..ada378192e 100644 --- a/docs/libcurl/libcurl-security.3 +++ b/docs/libcurl/libcurl-security.3 @@ -371,3 +371,15 @@ sensitive data. To avoid this problem, you must of course use your common sense. Often, you can just edit out the sensitive data or just search/replace your true information with faked data. +.SH "Setuid applications using libcurl" +libcurl-using applications that set the 'setuid' bit to run with elevated or +modified rights also implicitly give that extra power to libcurl and this +should only be done after very careful considerations. + +Giving setuid powers to the appliction means that libcurl can save files using +those new rights (if for example the `SSLKEYLOGFILE` environment variable is +set). Also: if the application wants these powers to read or manage secrets +that the user is otherwise not able to view (like credentials for a login +etc), it should be noted that libcurl still might understand proxy environment +variables that allow the user to redirect libcurl operations to use a proxy +controlled by the user.