diff options
| author | Richard W.M. Jones <rjones@redhat.com> | 2010-10-27 17:32:21 +0100 |
|---|---|---|
| committer | Richard W.M. Jones <rjones@redhat.com> | 2010-10-28 15:16:14 +0100 |
| commit | f93b234401093c63e67f2ffc254f611eee4daf7c (patch) | |
| tree | f127846a9299eab96500a979f74793e4655baa17 /src | |
| parent | e3851914de6bad3deb869ba865d2a6eb53c83151 (diff) | |
| download | libguestfs-f93b234401093c63e67f2ffc254f611eee4daf7c.tar.gz libguestfs-f93b234401093c63e67f2ffc254f611eee4daf7c.tar.xz libguestfs-f93b234401093c63e67f2ffc254f611eee4daf7c.zip | |
doc: Warn about security implications of running commands.
Diffstat (limited to 'src')
| -rw-r--r-- | src/guestfs.pod | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/guestfs.pod b/src/guestfs.pod index 305aa382..50e9f50b 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -390,6 +390,22 @@ an X86 host). For SELinux guests, you may need to enable SELinux and load policy first. See L</SELINUX> in this manpage. +=item * + +I<Security:> It is not safe to run commands from untrusted, possibly +malicious guests. These commands may attempt to exploit your program +by sending unexpected output. They could also try to exploit the +Linux kernel or qemu provided by the libguestfs appliance. They could +use the network provided by the libguestfs appliance to bypass +ordinary network partitions and firewalls. They could use the +elevated privileges or different SELinux context of your program +to their advantage. + +A secure alternative is to use libguestfs to install a "firstboot" +script (a script which runs when the guest next boots normally), and +to have this script run the commands you want in the normal context of +the running guest, network security and so on. + =back The two main API calls to run commands are L</guestfs_command> and |