readme: Add a note about sandbox security; NFC

d3e4d7d4 · Daan Sprenkels · 5f43c291 · d3e4d7d4
Commit d3e4d7d4 authored Oct 30, 2020 by Daan Sprenkels
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

README.md README.md +11 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -26,6 +26,17 @@ cargo uninstall maruska
 Cargo currently has no support for "regular" upgrading of installed packages.
 You can force a reinstall, however, using:

+## Security
+
+A user running maruska can request the help screen.  `man` will use the system
+preferred pager program (set by `$PAGER` and `$MANPAGER`).  If this is set to
+`less`, the user can execute any command by default.
+
+If you intend to sandbox this program, to allow usage for anonymous users, make
+sure that you _completely_ sandbox the process tree and file system. The user
+can run arbitrary code through the maruska process, and maruska is not designed
+to provide any security to prevent this.
+
 ```shell
 cargo install --force --git https://gitlab.science.ru.nl/dsprenkels/maruska.git
 ```
\ No newline at end of file