Add `Notes` section to `RunCmdAsUser()` comments

2024-10-25 22:29:35 +02:00 · 2024-10-25 22:29:35 +02:00 · 181f59c2af
parent ae64484955
commit 181f59c2af
1 changed files with 12 additions and 0 deletions
--- a/include/functions
+++ b/include/functions
@ -3043,6 +3043,18 @@
    #
    # Parameters  : $@ = command arguments
    # Returns     : None (executes the command as the appropriate user)
+	# Notes       : This allows dropping permissions for specific commands when
+	#               lynis is invoked as root, preventing privilege escalation
+	#               risks (CWE-250, CWE-271).
+	#
+	#               By isolating privileged code and dropping said privileges as
+	#               soon as possible, we can execute tools with their proper
+	#               permissions, such as in the case of Homebrew.
+	#
+	#               When available, we use `sudo` and `su`. For a strictly
+	#               POSIX-compliant environment, a C implementation could be
+	#               made using `setgid()` and `setuid()`.
+    ################################################################################
    ################################################################################

    RunCmdAsUser() {