From f93b234401093c63e67f2ffc254f611eee4daf7c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 27 Oct 2010 17:32:21 +0100 Subject: [PATCH] doc: Warn about security implications of running commands. --- src/guestfs.pod | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/guestfs.pod b/src/guestfs.pod index 305aa38..50e9f50 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -390,6 +390,22 @@ an X86 host). For SELinux guests, you may need to enable SELinux and load policy first. See L in this manpage. +=item * + +I It is not safe to run commands from untrusted, possibly +malicious guests. These commands may attempt to exploit your program +by sending unexpected output. They could also try to exploit the +Linux kernel or qemu provided by the libguestfs appliance. They could +use the network provided by the libguestfs appliance to bypass +ordinary network partitions and firewalls. They could use the +elevated privileges or different SELinux context of your program +to their advantage. + +A secure alternative is to use libguestfs to install a "firstboot" +script (a script which runs when the guest next boots normally), and +to have this script run the commands you want in the normal context of +the running guest, network security and so on. + =back The two main API calls to run commands are L and -- 1.8.3.1