summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2022-06-16 09:56:44 -0400
committerMatthew Heon <mheon@redhat.com>2022-06-16 09:56:44 -0400
commit6c5e1420e248fb72cc400865401d19ff6c54a7e9 (patch)
treef1901f3c2208d9bf939b612e94eaddc8cb2f21d2
parentea18b9463e9da9adee194c0a1142b8d55b33c9fe (diff)
downloadpodman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.tar.gz
podman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.tar.bz2
podman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.zip
Make it clear the REST API could be a security issue
The manpage for `podman system service` should mention that this is not safe for external consumption unless you are comfortable giving anyone who accesses it full root on the system. Signed-off-by: Matthew Heon <mheon@redhat.com>
-rw-r--r--docs/source/markdown/podman-system-service.1.md4
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md
index 176d73eda..99fde8ce4 100644
--- a/docs/source/markdown/podman-system-service.1.md
+++ b/docs/source/markdown/podman-system-service.1.md
@@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co
Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*.
Both APIs are versioned, but the server will not reject requests with an unsupported version set.
+Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API.
+As such, we strongly recommend against making the API socket available via the network.
+The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API.
+
Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call.
## OPTIONS