diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index db4a08f5d5..6c2d9bf44b 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -81,6 +81,12 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities } } case "tcp": + // We want to check if the user is requesting a TCP address. + // If so, warn that this is insecure. + // Ignore errors here, the actual backend code will handle them + // better than we can here. + logrus.Warnf("Using the Podman API service with TCP sockets is not recommended, please see `podman system service` manpage for details") + host := uri.Host if host == "" { // For backward compatibility, support "tcp::" and "tcp://:" diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index d039f48ccb..a7591cca65 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -66,9 +66,14 @@ To access the API service inside a container: - mount the socket as a volume - run the container with `--security-opt label=disable` -Please note that the API grants full access to Podman's capabilities, and allows arbitrary code execution as the user running the API. -We strongly recommend against making the API socket available via the network. -The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API. +### Security + +Please note that the API grants full access to all Podman functionality, and thus allows arbitrary code execution as the user running the API, with no ability to limit or audit this access. +The API's security model is built upon access via a Unix socket with access restricted via standard file permissions, ensuring that only the user running the service will be able to access it. +We *strongly* recommend against making the API socket available via the network (IE, bindings the service to a *tcp* URL). +Even access via Localhost carries risks - anyone with access to the system will be able to access the API. +If remote access is required, we instead recommend forwarding the API socket via SSH, and limiting access on the remote machine to the greatest extent possible. +If a *tcp* URL must be used, using the *--cors* option is recommended to improve security. ## OPTIONS diff --git a/test/system/271-tcp-cors-server.bats b/test/system/271-tcp-cors-server.bats index 7282050a5c..834beecd61 100644 --- a/test/system/271-tcp-cors-server.bats +++ b/test/system/271-tcp-cors-server.bats @@ -16,13 +16,18 @@ SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket" @test "podman system service - tcp CORS" { skip_if_remote "system service tests are meaningless over remote" PORT=$(random_free_port 63000-64999) - $PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 & + log=${PODMAN_TMPDIR}/system-service.log + $PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 2> $log & podman_pid="$!" sleep 5s run curl -s --max-time 10 -vvv $SERVICE_TCP_HOST:$PORT/_ping 2>&1 is "$output" ".*< Access-Control-Allow-Origin: \*.*" "access-control-allow-origin verifies CORS is set" kill $podman_pid wait $podman_pid || true + + # Running server over TCP is a bad idea. We should see a warning + assert "$(< $log)" =~ "Using the Podman API service with TCP sockets" \ + "podman warns about server on TCP" } @test "podman system service - tcp without CORS" {