diff options
author | Matthew Heon <mheon@redhat.com> | 2022-06-16 09:56:44 -0400 |
---|---|---|
committer | Matthew Heon <mheon@redhat.com> | 2022-06-16 09:56:44 -0400 |
commit | 6c5e1420e248fb72cc400865401d19ff6c54a7e9 (patch) | |
tree | f1901f3c2208d9bf939b612e94eaddc8cb2f21d2 /docs/source/markdown/podman-system-service.1.md | |
parent | ea18b9463e9da9adee194c0a1142b8d55b33c9fe (diff) | |
download | podman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.tar.gz podman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.tar.bz2 podman-6c5e1420e248fb72cc400865401d19ff6c54a7e9.zip |
Make it clear the REST API could be a security issue
The manpage for `podman system service` should mention that this
is not safe for external consumption unless you are comfortable
giving anyone who accesses it full root on the system.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'docs/source/markdown/podman-system-service.1.md')
-rw-r--r-- | docs/source/markdown/podman-system-service.1.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 176d73eda..99fde8ce4 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*. Both APIs are versioned, but the server will not reject requests with an unsupported version set. +Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API. +As such, we strongly recommend against making the API socket available via the network. +The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API. + Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call. ## OPTIONS |