[linux-user-chroot] docs: Add README.newnet, tweak README a bit

From: Colin Walters <walters src gnome org>
To: commits-list gnome org
Cc:
Subject: [linux-user-chroot] docs: Add README.newnet, tweak README a bit
Date: Tue, 13 Mar 2012 18:19:43 +0000 (UTC)

commit 14e885f2b1dc2a54b54d07b267274a0b254610da
Author: Colin Walters <walters verbum org>
Date:   Tue Mar 13 14:18:45 2012 -0400

    docs: Add README.newnet, tweak README a bit

 README        |    9 +++++++++
 README.newnet |   29 +++++++++++++++++++++++++++++
 configure.ac  |    2 +-
 3 files changed, 39 insertions(+), 1 deletions(-)
---
diff --git a/README b/README
index 5483785..bab4b9b 100644
--- a/README
+++ b/README
@@ -67,3 +67,12 @@ $ linux-user-chroot --unshare-pid --unshare-net --unshare-pid \
 
 Here we're creating a bind mount inside the chroot to outside.  This
 helps avoid copying files around.
+
+Installing
+----------
+
+This binary can be installed in two modes:
+
+1) uwsr-xr-x  root:root - Executable by everyone
+2) uwsr-x---  root:somegroup - Executable only by somegroup
+
diff --git a/README.newnet b/README.newnet
new file mode 100644
index 0000000..2c247ec
--- /dev/null
+++ b/README.newnet
@@ -0,0 +1,29 @@
+newnet helper
+-------------
+
+This is an optional helper program that simply allows calling
+CLONE_NEWNET and executing a child process.  The reason this program
+exists as an option is because on some Linux kernel configurations
+(e.g. with the netfilter kernel module loaded), it's expensive to
+create new network namespaces, and it may actually fail.
+
+linux-user-chroot is intended to create namespaces quite dynamically,
+but this conflicts somewhat with the goals of the developers who
+contributed the functionality for typically more static "containers".
+
+If you don't need this helper as a workaround, don't build it.
+
+Caveat
+------
+
+This helper program does NOT restrict further execution of setuid
+binaries.  Otherwise, you couldn't run linux-user-chroot inside of it,
+and that would defeat the point.
+
+However I don't believe the attack surface exposed by making an empty
+network namespace is very high - it does mean that e.g. one could make
+"sudo" fail to look up the username if it's configured to use LDAP.
+
+But most setuid programs *should* be carefully checking errors
+anyways.
+
diff --git a/configure.ac b/configure.ac
index 20c992b..0a51ee8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,7 +31,7 @@ AM_CONDITIONAL(HAVE_XSLTPROC, test x"$XSLTPROC" != x)
 
 AC_ARG_ENABLE(newnet-helper,
               AC_HELP_STRING([--enable-newnet-helper],
-                             [build newnet helper]),,
+                             [build newnet helper (see README.newnet)]),,
               enable_newnet_helper=no)
 AM_CONDITIONAL(BUILD_NEWNET_HELPER, test x$enable_newnet_helper = xyes)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]