From 6c5e1420e248fb72cc400865401d19ff6c54a7e9 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Thu, 16 Jun 2022 09:56:44 -0400 Subject: Make it clear the REST API could be a security issue The manpage for `podman system service` should mention that this is not safe for external consumption unless you are comfortable giving anyone who accesses it full root on the system. Signed-off-by: Matthew Heon --- docs/source/markdown/podman-system-service.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 176d73eda..99fde8ce4 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*. Both APIs are versioned, but the server will not reject requests with an unsupported version set. +Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API. +As such, we strongly recommend against making the API socket available via the network. +The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API. + Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call. ## OPTIONS -- cgit v1.2.3-54-g00ecf