diff options
author | Colin Walters <walters@verbum.org> | 2012-03-13 14:18:45 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2012-03-13 14:18:45 -0400 |
commit | 14e885f2b1dc2a54b54d07b267274a0b254610da (patch) | |
tree | 5e9cd8a28708981becf5605372da4cea36882391 | |
parent | c7dd5aea7b29c36394ae23b4eaf8284869337236 (diff) | |
download | linux-user-chroot-14e885f2b1dc2a54b54d07b267274a0b254610da.tar.gz |
docs: Add README.newnet, tweak README a bit
-rw-r--r-- | README | 9 | ||||
-rw-r--r-- | README.newnet | 29 | ||||
-rw-r--r-- | configure.ac | 2 |
3 files changed, 39 insertions, 1 deletions
@@ -67,3 +67,12 @@ $ linux-user-chroot --unshare-pid --unshare-net --unshare-pid \ Here we're creating a bind mount inside the chroot to outside. This helps avoid copying files around. + +Installing +---------- + +This binary can be installed in two modes: + +1) uwsr-xr-x root:root - Executable by everyone +2) uwsr-x--- root:somegroup - Executable only by somegroup + diff --git a/README.newnet b/README.newnet new file mode 100644 index 0000000..2c247ec --- /dev/null +++ b/README.newnet @@ -0,0 +1,29 @@ +newnet helper +------------- + +This is an optional helper program that simply allows calling +CLONE_NEWNET and executing a child process. The reason this program +exists as an option is because on some Linux kernel configurations +(e.g. with the netfilter kernel module loaded), it's expensive to +create new network namespaces, and it may actually fail. + +linux-user-chroot is intended to create namespaces quite dynamically, +but this conflicts somewhat with the goals of the developers who +contributed the functionality for typically more static "containers". + +If you don't need this helper as a workaround, don't build it. + +Caveat +------ + +This helper program does NOT restrict further execution of setuid +binaries. Otherwise, you couldn't run linux-user-chroot inside of it, +and that would defeat the point. + +However I don't believe the attack surface exposed by making an empty +network namespace is very high - it does mean that e.g. one could make +"sudo" fail to look up the username if it's configured to use LDAP. + +But most setuid programs *should* be carefully checking errors +anyways. + diff --git a/configure.ac b/configure.ac index 20c992b..0a51ee8 100644 --- a/configure.ac +++ b/configure.ac @@ -31,7 +31,7 @@ AM_CONDITIONAL(HAVE_XSLTPROC, test x"$XSLTPROC" != x) AC_ARG_ENABLE(newnet-helper, AC_HELP_STRING([--enable-newnet-helper], - [build newnet helper]),, + [build newnet helper (see README.newnet)]),, enable_newnet_helper=no) AM_CONDITIONAL(BUILD_NEWNET_HELPER, test x$enable_newnet_helper = xyes) |