Skip to content

Improved security section in rustdoc for current_exe #150828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sourcefrog wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Improved security section in rustdoc for current_exe #150828

sourcefrog wants to merge 5 commits into from
+12 −19

Conversation

@sourcefrog
Copy link
Contributor

@sourcefrog sourcefrog commented Jan 8, 2026
edited
Loading

A few improvements to the security section of the docs about current_exe

  1. The explanatory link is broken.
  2. It basically previously says to never trust the result, which is IMO too pessimistic to be helpful. It's worth understanding the behavior but if you have a use case to re-exec the current program, which is not uncommon, this is a reasonable way to do it.
  3. The particular risk is about setuid/setgid processes that shouldn't fully trust the user that spawned them.
  4. IMO the most important risk with this function is that the invoker can control argv and PATH, so I made this more explicit. (Many unixes, including Linux, don't rely on them in the implementation, but some do.)
  5. The previous text about TOCTOU and races is IMO not really coherent: if an attacker can write to the location where you're going to re-exec, they can fundamentally control what program is executed. They don't need to race with your execution of current_exe, and there is no up-front check.
  6. Briefly explain the pattern of CVE-2009-1894: on Linux, depending on system configuration, an attacker who can create hardlinks to the executable can potentially control /proc/self/exe. On modern Linux this should normally require permission to write to the executable.

I did some web research for "argv0 vulnerability" and similar terms and didn't find anything else we should be documenting here. (There are issues about argc=0 but those should be prevented by memory safety in Rust.)

I found what the link seemed to be pointing to in https://vulners.com/cve/CVE-2009-1894, which talks about confusing a setuid program by creating a hardlink to its exe. I think this is in very particular circumstances something people should still be concerned about: a setuid program on a machine with fs.protected_hardlinks = 0. I don't think this justifies warning people not to use the function at all.

cc @mgeisler

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Jan 8, 2026
@rustbot
Copy link
Collaborator

rustbot commented Jan 8, 2026

r? @tgross35

rustbot has assigned @tgross35.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@jieyouxu
Copy link
Member

jieyouxu commented Jan 9, 2026

cc @rust-lang/security

@rust-log-analyzer

This comment has been minimized.

Sign in to view
cuviper
cuviper reviewed Jan 9, 2026
View reviewed changes
@sourcefrog sourcefrog changed the title Clarify text about current_exe security and remove broken link Improved security section in rustdoc for current_exe Jan 9, 2026
mgeisler
mgeisler approved these changes Jan 10, 2026
View reviewed changes
Copy link
Contributor

@mgeisler mgeisler left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this: I don't think the Rust standard library is the right place to educate people about specific attacks. So keeping the documentation short and simply reminding people to not blindly trust the output seems good.

View changes since this review

@tgross35
Copy link
Contributor

tgross35 commented Jan 10, 2026

Since you've already taken a look,
r? @cuviper

@rustbot rustbot assigned cuviper and unassigned tgross35 Jan 10, 2026
@sourcefrog
Copy link
Contributor Author

sourcefrog commented Jan 11, 2026

See also #150824 improving other parts of this function's rustdoc.

sourcefrog
sourcefrog commented Jan 11, 2026
View reviewed changes
cuviper
cuviper reviewed Jan 13, 2026
View reviewed changes
@sourcefrog sourcefrog requested a review from cuviper January 13, 2026 01:19
@rust-log-analyzer

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cuviper cuviper Awaiting requested review from cuviper

1 more reviewer

@mgeisler mgeisler mgeisler approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@cuviper cuviper

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sourcefrog @rustbot @jieyouxu @rust-log-analyzer @tgross35 @cuviper @mgeisler