summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README43
1 files changed, 33 insertions, 10 deletions
diff --git a/README b/README
index bab4b9b..a107280 100644
--- a/README
+++ b/README
@@ -1,13 +1,23 @@
-Motivation
-----------
+Summary
+-------
+
+This tool allows regular (non-root) users to call chroot(2), create
+Linux bind mounts, and use some Linux container features. It's
+primarily intended for use by build systems.
+
+Project information
+-------------------
-It's really useful for build systems to be able to call chroot(2) as a
-regular (non-root) user.
+There's no web page yet; send patches to
+Colin Walters <walters@verbum.org>
-First, it ensures that the build isn't picking up files it shouldn't
-be. This helps avoid the problem of "host contamination", where
-e.g. we want libfoo.h from inside our root, not the one outside the
-root.
+Why is this useful?
+-------------------
+
+For build systems, being inside a chroot ensures that the build isn't
+picking up files it shouldn't be. This helps avoid the problem of
+"host contamination", where e.g. we want libfoo.h from inside our
+root, not the one outside the root.
Second, it helps avoid the fragility inherent in having to set up a
large set of environment variables pointing to our root (e.g. PATH,
@@ -17,13 +27,27 @@ the same as it normally is (/bin:/usr/bin).
Security
--------
+**** IMPORTANT NOTE ****
+
+Installing this tool accessible to all users significantly increases
+their ability to perform local, authenticated denial of service
+attacks. The intended mitigation against this is to ensure the tool
+is only executable by certain users.
+
+**** IMPORTANT NOTE ****
+
The historical reason Unix doesn't allow chroot(2) as non-root is
because of setuid binaries. It's trivial to use chroot to create a
hostile environment, then execute a setuid binary to subvert it.
This tool closes that historical hole by simply disallowing privilege
gain by execution of setuid binaries. It creates a "nosuid" bind
-mount over "/".
+mount over "/". This restriction is typically irrelevant for build
+systems.
+
+However, this tool also allows creating bind mounts, which currently
+have no resource controls. This is why this tool is not intended to
+be installed by default.
Abilities granted
-----------------
@@ -75,4 +99,3 @@ This binary can be installed in two modes:
1) uwsr-xr-x root:root - Executable by everyone
2) uwsr-x--- root:somegroup - Executable only by somegroup
-
View Lorry Controller Status