It is important never to pass a string with user-supplied data as a format without using ‘%s'. An attacker can put format specifiers in the string to mangle your stack, leading to a possible security hole. This holds true even if you have built the string “by hand” using a function like
snprintf(), as the resulting string may still contain user-supplied conversion specifiers for later interpolation by
setproctitle().
Always be sure to use the proper secure idiom:
setproctitle("%s", string);