summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2021-04-26 11:15:55 +0200
committerDaniel Stenberg <daniel@haxx.se>2021-04-27 07:51:42 +0200
commit2e23f3b8d54c6e4e568f019b2f66bfd9f9bac7a2 (patch)
treeae0dde531ff3a4433026b03b88b566887b156eec
parent76f33fd373f2d1c9ff8a090a65c254fe7a4a9864 (diff)
downloadcurl-2e23f3b8d54c6e4e568f019b2f66bfd9f9bac7a2.tar.gz
libcurl-security.3: be careful of setuid
Reported-by: Harry Sintonen Closes #6970
-rw-r--r--docs/libcurl/libcurl-security.312
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index b4907ac22..ada378192 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -371,3 +371,15 @@ sensitive data.
To avoid this problem, you must of course use your common sense. Often, you
can just edit out the sensitive data or just search/replace your true
information with faked data.
+.SH "Setuid applications using libcurl"
+libcurl-using applications that set the 'setuid' bit to run with elevated or
+modified rights also implicitly give that extra power to libcurl and this
+should only be done after very careful considerations.
+
+Giving setuid powers to the appliction means that libcurl can save files using
+those new rights (if for example the `SSLKEYLOGFILE` environment variable is
+set). Also: if the application wants these powers to read or manage secrets
+that the user is otherwise not able to view (like credentials for a login
+etc), it should be noted that libcurl still might understand proxy environment
+variables that allow the user to redirect libcurl operations to use a proxy
+controlled by the user.