Commit 14e885f2 authored by Colin Walters's avatar Colin Walters

docs: Add README.newnet, tweak README a bit

parent c7dd5aea
......@@ -67,3 +67,12 @@ $ linux-user-chroot --unshare-pid --unshare-net --unshare-pid \
Here we're creating a bind mount inside the chroot to outside. This
helps avoid copying files around.
This binary can be installed in two modes:
1) uwsr-xr-x root:root - Executable by everyone
2) uwsr-x--- root:somegroup - Executable only by somegroup
newnet helper
This is an optional helper program that simply allows calling
CLONE_NEWNET and executing a child process. The reason this program
exists as an option is because on some Linux kernel configurations
(e.g. with the netfilter kernel module loaded), it's expensive to
create new network namespaces, and it may actually fail.
linux-user-chroot is intended to create namespaces quite dynamically,
but this conflicts somewhat with the goals of the developers who
contributed the functionality for typically more static "containers".
If you don't need this helper as a workaround, don't build it.
This helper program does NOT restrict further execution of setuid
binaries. Otherwise, you couldn't run linux-user-chroot inside of it,
and that would defeat the point.
However I don't believe the attack surface exposed by making an empty
network namespace is very high - it does mean that e.g. one could make
"sudo" fail to look up the username if it's configured to use LDAP.
But most setuid programs *should* be carefully checking errors
......@@ -31,7 +31,7 @@ AM_CONDITIONAL(HAVE_XSLTPROC, test x"$XSLTPROC" != x)
[build newnet helper]),,
[build newnet helper (see README.newnet)]),,
AM_CONDITIONAL(BUILD_NEWNET_HELPER, test x$enable_newnet_helper = xyes)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment