From b8c11f64569b4fdd365bf9f0d6b2bb24b0420707 Mon Sep 17 00:00:00 2001
From: "Manuel Amador (Rudd-O)" <rudd-o@rudd-o.com>
Date: Wed, 12 Oct 2016 17:27:40 +0000
Subject: [PATCH]  Documentation improvements

---
 doc/Remote management of Qubes OS servers.md | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/doc/Remote management of Qubes OS servers.md b/doc/Remote management of Qubes OS servers.md
index 997934a..37bff07 100644
--- a/doc/Remote management of Qubes OS servers.md	
+++ b/doc/Remote management of Qubes OS servers.md	
@@ -1,6 +1,6 @@
 # Remote management of Qubes OS servers
 
-This tutorial will help you combine [Qubes network server](https://github.com/Rudd-O/qubes-network-server) and Ansible to remotely manage a Qubes OS machine, and all VMs within it.
+This tutorial will help you combine [Qubes network server](https://github.com/Rudd-O/qubes-network-server) and Ansible to remotely manage a Qubes OS machine, and some or all VMs within it.
 
 ## Set up the SSH access on the Qubes server
 
@@ -22,6 +22,18 @@ exp-manager   $anyvm    allow
 
 This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs.
 
+**Security note**: this does mean that anyone with access to `exp-manager` can do
+literally anything on any of your VMs in your Qubes OS server.
+
+If that is not what you want, then replace `$anyvm` with the name of the VMs you would like
+to manage.  For example: if you would like `exp-manager` to be authorized to run commands
+*only* on `exp-net`, then you can use the following policy:
+
+```
+exp-manager   exp-net   allow
+exp-manager   $anyvm    deny
+```
+
 Try it out now.  SSH from your manager machine into `exp-manager` and run:
 
 ```
@@ -32,7 +44,8 @@ You should see `yes` followed by `exp-net` on the output side.
 
 ### If you want `exp-manager` to also run commands on `dom0`
 
-If you expect that you will need to run commands in `dom0` from your manager machine,
+If you expect that you will need to run commands in `dom0` from your manager machine
+(say, to create, stop, start and modify VMs in the Qubes OS server),
 then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`,
 with the contents `/bin/bash` and permission mode `0644`.  Doing this will enable you
 to run commands on `dom0` which you can subsequently test in `exp-manager` by running command:
@@ -43,6 +56,9 @@ qvm-run dom0 'echo yes ; hostname'
 
 like you did before.
 
+**Security note**: this does mean that anyone with access to `exp-manager` can do
+literally anything on your Qubes OS server.
+
 ## Integrate your Ansible setup
 
 Assuming you have set up Ansible on your manager machine, [integrate