Adds kvmx-restricted-shell

author: Silvio Rhatto <rhatto@riseup.net> 2017-12-31 17:41:55 -0200
committer: Silvio Rhatto <rhatto@riseup.net> 2017-12-31 17:41:55 -0200
commit: 028accfd58fc446cd6b9b8bcc4cbbab1bff7911e (patch)
tree: ad156546cef8b160d31b57e20c8958d4e1284eb9 /kvmx-shell
parent: ba560f275675cdb42499c5b03f2593cde508da9b (diff)
download: kvmx-028accfd58fc446cd6b9b8bcc4cbbab1bff7911e.tar.gz
kvmx-028accfd58fc446cd6b9b8bcc4cbbab1bff7911e.tar.bz2
1 files changed, 10 insertions, 0 deletions
diff --git a/kvmx-shell b/kvmx-shell
index 5149087..a8a7eb1 100755
--- a/kvmx-shell
+++ b/kvmx-shell
@@ -22,4 +22,14 @@
 DIRNAME="`dirname $0`"
 
 # Dispatch
+#
+# WARNING: this is not a restricted shell. By using the "config" action
+# one can easilly run arbitrary commands. So assume kvmx-shell is just
+# a utility wrapper for kvmx and not a complete isolation sollution.
+#
+# Assume this shell is as safe as giving /bin/bash access to the user.
+#
+# You might use `kvmx-restricted-shell` instead of use it as an example to
+# build a restricted shell by allowing just a small subset of kvmx commands
+# like starting/stopping the guest.
 $DIRNAME/kvmx shell $USER
author	Silvio Rhatto <rhatto@riseup.net>	2017-12-31 17:41:55 -0200
committer	Silvio Rhatto <rhatto@riseup.net>	2017-12-31 17:41:55 -0200
commit	028accfd58fc446cd6b9b8bcc4cbbab1bff7911e (patch)
tree	ad156546cef8b160d31b57e20c8958d4e1284eb9 /kvmx-shell
parent	ba560f275675cdb42499c5b03f2593cde508da9b (diff)
download	kvmx-028accfd58fc446cd6b9b8bcc4cbbab1bff7911e.tar.gz kvmx-028accfd58fc446cd6b9b8bcc4cbbab1bff7911e.tar.bz2