From 6c5e1420e248fb72cc400865401d19ff6c54a7e9 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Thu, 16 Jun 2022 09:56:44 -0400
Subject: [PATCH] Make it clear the REST API could be a security issue

The manpage for `podman system service` should mention that this
is not safe for external consumption unless you are comfortable
giving anyone who accesses it full root on the system.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 docs/source/markdown/podman-system-service.1.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md
index 176d73eda7..99fde8ce49 100644
--- a/docs/source/markdown/podman-system-service.1.md
+++ b/docs/source/markdown/podman-system-service.1.md
@@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co
 Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*.
 Both APIs are versioned, but the server will not reject requests with an unsupported version set.
 
+Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API.
+As such, we strongly recommend against making the API socket available via the network.
+The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API.
+
 Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call.
 
 ## OPTIONS