From 110032fb486c4491edbfafd906f5784f36bd0f51 Mon Sep 17 00:00:00 2001
From: Alvar Penning
Date: Thu, 5 Feb 2026 22:52:35 +0100
Subject: snac(8): Words of caution for strip_exif configuration

Add words of caution and reasoning to the "strip_exif" configuration for
the server.json file, as these commands would be executed outside of the
sandbox - at least on OpenBSD - and both have quite a history on
security issues due to their huge attack surface and variety of
supported protocols.

After getting comfortable with the related code, I would continue using
it on a personal instance, but would reconsider enabling "strip_exif" on
shared instances with multiple users.

IMO, snac administrators should at least know of potential dangers.
---
 doc/snac.8 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/doc/snac.8 b/doc/snac.8
index b5ec33c..78e1946 100644
--- a/doc/snac.8
+++ b/doc/snac.8
@@ -310,6 +310,17 @@ If set to true, EXIF and other metadata will be stripped from uploaded images (j
 tools to be installed. If
 .Nm snac
 cannot find or execute these tools at startup, it will refuse to run.
+.Pp
+When enabled, registered users might pass arbitrary files to
+.Nm mogrify
+or
+.Nm ffmpeg .
+These commands are being executed outside the sandbox and have a huge
+attack surface. Exploits would be run as the
+.Nm
+system user. Reconsider enabling this on
+.Nm
+instances with unknown or untrusted users.
 .It Ic mogrify_path
 Overrides the default "mogrify" command name or path. Use this if the tool is not in the system PATH or has a different name.
 .It Ic ffmpeg_path
-- 
cgit v1.2.3