diff options
author | Colin Walters <walters@verbum.org> | 2012-04-24 08:37:28 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2012-04-24 08:37:28 -0400 |
commit | 89e30f023676530525414ed41afb261f6baf5529 (patch) | |
tree | fe50aa8599cdb2eec4deedc09e7b4a938d804b25 | |
parent | c689880fe2a2523ca8b4d8e31a22cbf91b7d5047 (diff) | |
download | linux-user-chroot-89e30f023676530525414ed41afb261f6baf5529.tar.gz |
README: Improve
-rw-r--r-- | README | 43 |
1 files changed, 33 insertions, 10 deletions
@@ -1,13 +1,23 @@ -Motivation ----------- +Summary +------- + +This tool allows regular (non-root) users to call chroot(2), create +Linux bind mounts, and use some Linux container features. It's +primarily intended for use by build systems. + +Project information +------------------- -It's really useful for build systems to be able to call chroot(2) as a -regular (non-root) user. +There's no web page yet; send patches to +Colin Walters <walters@verbum.org> -First, it ensures that the build isn't picking up files it shouldn't -be. This helps avoid the problem of "host contamination", where -e.g. we want libfoo.h from inside our root, not the one outside the -root. +Why is this useful? +------------------- + +For build systems, being inside a chroot ensures that the build isn't +picking up files it shouldn't be. This helps avoid the problem of +"host contamination", where e.g. we want libfoo.h from inside our +root, not the one outside the root. Second, it helps avoid the fragility inherent in having to set up a large set of environment variables pointing to our root (e.g. PATH, @@ -17,13 +27,27 @@ the same as it normally is (/bin:/usr/bin). Security -------- +**** IMPORTANT NOTE **** + +Installing this tool accessible to all users significantly increases +their ability to perform local, authenticated denial of service +attacks. The intended mitigation against this is to ensure the tool +is only executable by certain users. + +**** IMPORTANT NOTE **** + The historical reason Unix doesn't allow chroot(2) as non-root is because of setuid binaries. It's trivial to use chroot to create a hostile environment, then execute a setuid binary to subvert it. This tool closes that historical hole by simply disallowing privilege gain by execution of setuid binaries. It creates a "nosuid" bind -mount over "/". +mount over "/". This restriction is typically irrelevant for build +systems. + +However, this tool also allows creating bind mounts, which currently +have no resource controls. This is why this tool is not intended to +be installed by default. Abilities granted ----------------- @@ -75,4 +99,3 @@ This binary can be installed in two modes: 1) uwsr-xr-x root:root - Executable by everyone 2) uwsr-x--- root:somegroup - Executable only by somegroup - |