From a809c3697d433515517ba07b85c5ba42b34ff7c1 Mon Sep 17 00:00:00 2001
From: schoen <schoen@loyalty.org>
Date: Wed, 27 Feb 2019 16:32:57 -0800
Subject: [PATCH] Warn sysadmins about privilege escalation risk (#6795)

---
 docs/install.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/install.rst b/docs/install.rst
index 35b262482..eae40c1f0 100644
--- a/docs/install.rst
+++ b/docs/install.rst
@@ -11,6 +11,8 @@ About Certbot
 
 *Certbot is meant to be run directly on a web server*, normally by a system administrator. In most cases, running Certbot on your personal computer is not a useful option. The instructions below relate to installing and running Certbot on a server.
 
+System administrators can use Certbot directly to request certificates; they should *not* allow unprivileged users to run arbitrary Certbot commands as ``root``, because Certbot allows its user to specify arbitrary file locations and run arbitrary scripts.
+
 Certbot is packaged for many common operating systems and web servers. Check whether
 ``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting
 certbot.eff.org_, where you will also find the correct installation instructions for