From: Lennart Poettering Date: Mon, 24 Jun 2019 13:30:10 +0000 (+0200) Subject: man: document that sd_bus_creds_get_exec() is not suitable for security decisions X-Git-Tag: v243-rc1~245^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F12868%2Fhead;p=thirdparty%2Fsystemd.git man: document that sd_bus_creds_get_exec() is not suitable for security decisions Fixes: #12704 --- diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 9e79d13cdd1..a7690d58174 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -325,12 +325,14 @@ /proc/pid/task/tid/comm). - sd_bus_creds_get_exe() will retrieve - the path to the program executable (as stored in the - /proc/pid/exe - link, but with the (deleted) suffix removed). Note - that kernel threads do not have an executable path, in which case - -ENXIO is returned. + sd_bus_creds_get_exe() will retrieve the path to the program executable (as + stored in the /proc/pid/exe link, but with the + (deleted) suffix removed). Note that kernel threads do not have an executable path, in which + case -ENXIO is returned. Note that this property should not be used for more than explanatory + information, in particular it should not be used for security-relevant decisions. That's because the + executable might have been replaced or removed by the time the value can be processed. Moreover, the + kernel exports this information in an ambiguous way (i.e. a deleted executable cannot be safely + distinguished from one whose name suffix is (deleted). sd_bus_creds_get_cmdline() will retrieve an array of command line arguments (as stored in