From: Richard W.M. Jones Date: Wed, 27 Oct 2010 16:32:21 +0000 (+0100) Subject: doc: Warn about security implications of running commands. X-Git-Tag: 1.5.25~13 X-Git-Url: http://git.annexia.org/?a=commitdiff_plain;h=f93b234401093c63e67f2ffc254f611eee4daf7c;p=libguestfs.git doc: Warn about security implications of running commands. --- diff --git a/src/guestfs.pod b/src/guestfs.pod index 305aa38..50e9f50 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -390,6 +390,22 @@ an X86 host). For SELinux guests, you may need to enable SELinux and load policy first. See L in this manpage. +=item * + +I It is not safe to run commands from untrusted, possibly +malicious guests. These commands may attempt to exploit your program +by sending unexpected output. They could also try to exploit the +Linux kernel or qemu provided by the libguestfs appliance. They could +use the network provided by the libguestfs appliance to bypass +ordinary network partitions and firewalls. They could use the +elevated privileges or different SELinux context of your program +to their advantage. + +A secure alternative is to use libguestfs to install a "firstboot" +script (a script which runs when the guest next boots normally), and +to have this script run the commands you want in the normal context of +the running guest, network security and so on. + =back The two main API calls to run commands are L and