snac(8): Words of caution for strip_exif configuration

Add words of caution and reasoning to the "strip_exif" configuration for the server.json file, as these commands would be executed outside of the sandbox - at least on OpenBSD - and both have quite a history on security issues due to their huge attack surface and variety of supported protocols. After getting comfortable with the related code, I would continue using it on a personal instance, but would reconsider enabling "strip_exif" on shared instances with multiple users. IMO, snac administrators should at least know of potential dangers.
author: Alvar Penning 2026-02-05 22:52:35 +0100
committer: Alvar Penning 2026-02-05 22:52:35 +0100
commit: 110032fb486c4491edbfafd906f5784f36bd0f51 (patch)
tree: 86cde217a30f7c654c332e1b4434fe81f55494a1
parent: Updated TODO. (diff)
download: snac2-110032fb486c4491edbfafd906f5784f36bd0f51.tar.gz
snac2-110032fb486c4491edbfafd906f5784f36bd0f51.tar.xz
snac2-110032fb486c4491edbfafd906f5784f36bd0f51.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/snac.8 b/doc/snac.8
index b5ec33c..78e1946 100644
--- a/doc/snac.8
+++ b/doc/snac.8
@@ -310,6 +310,17 @@ If set to true, EXIF and other metadata will be stripped from uploaded images (j
 tools to be installed. If
 .Nm snac
 cannot find or execute these tools at startup, it will refuse to run.
+.Pp
+When enabled, registered users might pass arbitrary files to
+.Nm mogrify
+or
+.Nm ffmpeg .
+These commands are being executed outside the sandbox and have a huge
+attack surface. Exploits would be run as the
+.Nm
+system user. Reconsider enabling this on
+.Nm
+instances with unknown or untrusted users.
 .It Ic mogrify_path
 Overrides the default "mogrify" command name or path. Use this if the tool is not in the system PATH or has a different name.
 .It Ic ffmpeg_path
author	Alvar Penning	2026-02-05 22:52:35 +0100
committer	Alvar Penning	2026-02-05 22:52:35 +0100
commit	110032fb486c4491edbfafd906f5784f36bd0f51 (patch)
tree	86cde217a30f7c654c332e1b4434fe81f55494a1
parent	Updated TODO. (diff)
download	snac2-110032fb486c4491edbfafd906f5784f36bd0f51.tar.gz snac2-110032fb486c4491edbfafd906f5784f36bd0f51.tar.xz snac2-110032fb486c4491edbfafd906f5784f36bd0f51.zip

diff --git a/doc/snac.8 b/doc/snac.8 index b5ec33c..78e1946 100644 --- a/doc/snac.8 +++ b/doc/snac.8
@@ -310,6 +310,17 @@ If set to true, EXIF and other metadata will be stripped from uploaded images (j
310	tools to be installed. If	310	tools to be installed. If
311	.Nm snac	311	.Nm snac
312	cannot find or execute these tools at startup, it will refuse to run.	312	cannot find or execute these tools at startup, it will refuse to run.
		313	.Pp
		314	When enabled, registered users might pass arbitrary files to
		315	.Nm mogrify
		316	or
		317	.Nm ffmpeg .
		318	These commands are being executed outside the sandbox and have a huge
		319	attack surface. Exploits would be run as the
		320	.Nm
		321	system user. Reconsider enabling this on
		322	.Nm
		323	instances with unknown or untrusted users.
313	.It Ic mogrify_path	324	.It Ic mogrify_path
314	Overrides the default "mogrify" command name or path. Use this if the tool is not in the system PATH or has a different name.	325	Overrides the default "mogrify" command name or path. Use this if the tool is not in the system PATH or has a different name.
315	.It Ic ffmpeg_path	326	.It Ic ffmpeg_path