From 181f59c2aff07eb46b0130b08775797bb579550a Mon Sep 17 00:00:00 2001
From: Neved4 <63655535+Neved4@users.noreply.github.com>
Date: Fri, 25 Oct 2024 22:29:35 +0200
Subject: [PATCH] Add `Notes` section to `RunCmdAsUser()` comments

---
 include/functions | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/functions b/include/functions
index 2bfae8db..1459c072 100644
--- a/include/functions
+++ b/include/functions
@@ -3043,6 +3043,18 @@
     #
     # Parameters  : $@ = command arguments
     # Returns     : None (executes the command as the appropriate user)
+	# Notes       : This allows dropping permissions for specific commands when
+	#               lynis is invoked as root, preventing privilege escalation
+	#               risks (CWE-250, CWE-271).
+	#
+	#               By isolating privileged code and dropping said privileges as
+	#               soon as possible, we can execute tools with their proper
+	#               permissions, such as in the case of Homebrew.
+	#
+	#               When available, we use `sudo` and `su`. For a strictly
+	#               POSIX-compliant environment, a C implementation could be
+	#               made using `setgid()` and `setuid()`.
+    ################################################################################
     ################################################################################
 
     RunCmdAsUser() {