Commit 89e30f02 authored by Colin Walters's avatar Colin Walters

README: Improve

parent c689880f
Motivation Summary
---------- -------
This tool allows regular (non-root) users to call chroot(2), create
Linux bind mounts, and use some Linux container features. It's
primarily intended for use by build systems.
Project information
-------------------
It's really useful for build systems to be able to call chroot(2) as a There's no web page yet; send patches to
regular (non-root) user. Colin Walters <walters@verbum.org>
First, it ensures that the build isn't picking up files it shouldn't Why is this useful?
be. This helps avoid the problem of "host contamination", where -------------------
e.g. we want libfoo.h from inside our root, not the one outside the
root. For build systems, being inside a chroot ensures that the build isn't
picking up files it shouldn't be. This helps avoid the problem of
"host contamination", where e.g. we want libfoo.h from inside our
root, not the one outside the root.
Second, it helps avoid the fragility inherent in having to set up a Second, it helps avoid the fragility inherent in having to set up a
large set of environment variables pointing to our root (e.g. PATH, large set of environment variables pointing to our root (e.g. PATH,
...@@ -17,13 +27,27 @@ the same as it normally is (/bin:/usr/bin). ...@@ -17,13 +27,27 @@ the same as it normally is (/bin:/usr/bin).
Security Security
-------- --------
**** IMPORTANT NOTE ****
Installing this tool accessible to all users significantly increases
their ability to perform local, authenticated denial of service
attacks. The intended mitigation against this is to ensure the tool
is only executable by certain users.
**** IMPORTANT NOTE ****
The historical reason Unix doesn't allow chroot(2) as non-root is The historical reason Unix doesn't allow chroot(2) as non-root is
because of setuid binaries. It's trivial to use chroot to create a because of setuid binaries. It's trivial to use chroot to create a
hostile environment, then execute a setuid binary to subvert it. hostile environment, then execute a setuid binary to subvert it.
This tool closes that historical hole by simply disallowing privilege This tool closes that historical hole by simply disallowing privilege
gain by execution of setuid binaries. It creates a "nosuid" bind gain by execution of setuid binaries. It creates a "nosuid" bind
mount over "/". mount over "/". This restriction is typically irrelevant for build
systems.
However, this tool also allows creating bind mounts, which currently
have no resource controls. This is why this tool is not intended to
be installed by default.
Abilities granted Abilities granted
----------------- -----------------
...@@ -75,4 +99,3 @@ This binary can be installed in two modes: ...@@ -75,4 +99,3 @@ This binary can be installed in two modes:
1) uwsr-xr-x root:root - Executable by everyone 1) uwsr-xr-x root:root - Executable by everyone
2) uwsr-x--- root:somegroup - Executable only by somegroup 2) uwsr-x--- root:somegroup - Executable only by somegroup
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment