mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-09 06:30:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

libcurl-security.3: be careful of setuid

Browse Source 
Reported-by: Harry Sintonen
Closes #6970
This commit is contained in:
Daniel Stenberg 2021-04-26 11:15:55 +02:00
parent 76f33fd373
commit 2e23f3b8d5
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/libcurl/libcurl-security.3
View File

@ -371,3 +371,15 @@ sensitive data.
To avoid this problem, you must of course use your common sense. Often, you
can just edit out the sensitive data or just search/replace your true
information with faked data.
.SH "Setuid applications using libcurl"
libcurl-using applications that set the 'setuid' bit to run with elevated or
modified rights also implicitly give that extra power to libcurl and this
should only be done after very careful considerations.
Giving setuid powers to the appliction means that libcurl can save files using
those new rights (if for example the `SSLKEYLOGFILE` environment variable is
set). Also: if the application wants these powers to read or manage secrets
that the user is otherwise not able to view (like credentials for a login
etc), it should be noted that libcurl still might understand proxy environment
variables that allow the user to redirect libcurl operations to use a proxy
controlled by the user.