diff options
| author | Lars Wirzenius <lars.wirzenius@codethink.co.uk> | 2013-09-24 17:01:42 +0000 |
|---|---|---|
| committer | Lars Wirzenius <lars.wirzenius@codethink.co.uk> | 2013-09-24 17:01:42 +0000 |
| commit | d25cc110f69e6e71a95b4ac532dcfc5423d4a16b (patch) | |
| tree | d731aaa7579a46a30880eef3e36647797ad6515f /README | |
| parent | d234ccf15a897024bb004d0f3a9a2f3b8d0976e6 (diff) | |
| parent | 5d23708442b16138b800a4e4e9daf20eda50ba46 (diff) | |
| download | linux-user-chroot-d25cc110f69e6e71a95b4ac532dcfc5423d4a16b.tar.gz | |
Merge branch 'baserock/larswirzenius/update-to-master' into baserock/morphbaserock/morph
Reviewed-by: Jonathan Maw
Reviewed-by: Daniel Silverstone
Diffstat (limited to 'README')
| -rw-r--r-- | README | 43 |
1 files changed, 33 insertions, 10 deletions
@@ -1,13 +1,23 @@ -Motivation ----------- +Summary +------- + +This tool allows regular (non-root) users to call chroot(2), create +Linux bind mounts, and use some Linux container features. It's +primarily intended for use by build systems. + +Project information +------------------- -It's really useful for build systems to be able to call chroot(2) as a -regular (non-root) user. +There's no web page yet; send patches to +Colin Walters <walters@verbum.org> -First, it ensures that the build isn't picking up files it shouldn't -be. This helps avoid the problem of "host contamination", where -e.g. we want libfoo.h from inside our root, not the one outside the -root. +Why is this useful? +------------------- + +For build systems, being inside a chroot ensures that the build isn't +picking up files it shouldn't be. This helps avoid the problem of +"host contamination", where e.g. we want libfoo.h from inside our +root, not the one outside the root. Second, it helps avoid the fragility inherent in having to set up a large set of environment variables pointing to our root (e.g. PATH, @@ -17,13 +27,27 @@ the same as it normally is (/bin:/usr/bin). Security -------- +**** IMPORTANT NOTE **** + +Installing this tool accessible to all users significantly increases +their ability to perform local, authenticated denial of service +attacks. The intended mitigation against this is to ensure the tool +is only executable by certain users. + +**** IMPORTANT NOTE **** + The historical reason Unix doesn't allow chroot(2) as non-root is because of setuid binaries. It's trivial to use chroot to create a hostile environment, then execute a setuid binary to subvert it. This tool closes that historical hole by simply disallowing privilege gain by execution of setuid binaries. It creates a "nosuid" bind -mount over "/". +mount over "/". This restriction is typically irrelevant for build +systems. + +However, this tool also allows creating bind mounts, which currently +have no resource controls. This is why this tool is not intended to +be installed by default. Abilities granted ----------------- @@ -75,4 +99,3 @@ This binary can be installed in two modes: 1) uwsr-xr-x root:root - Executable by everyone 2) uwsr-x--- root:somegroup - Executable only by somegroup - |