forked from josch/mmdebstrap
improve documentation of unshare mode
This commit is contained in:
parent
02769190ad
commit
46fc269b54
1 changed files with 22 additions and 6 deletions
28
mmdebstrap
28
mmdebstrap
|
@ -6649,14 +6649,30 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
|
|||
|
||||
=item B<unshare>
|
||||
|
||||
This mode uses Linux user namespaces to allow unprivileged use of chroot and
|
||||
creation of files that appear to be owned by the superuser inside the unshared
|
||||
namespace. A tarball created in this mode should be bit-by-bit identical to a
|
||||
tarball created with the B<root> mode.
|
||||
When used as a normal (not root) user, this mode uses Linux user namespaces to
|
||||
allow unprivileged use of chroot and creation of files that appear to be owned
|
||||
by the superuser inside the unshared namespace. A tarball created in this mode
|
||||
will be bit-by-bit identical to a tarball created with the B<root> mode. With
|
||||
this mode, the only binaries that will run as the root user will be
|
||||
B<newuidmap(1)> and B<newgidmap(1)> via their setuid bit. Running those
|
||||
successfully requires F</etc/subuid> and F</etc/subgid> to have an entry for
|
||||
your username. This entry was usually created by B<adduser(8)> already.
|
||||
|
||||
The unshared user will not automatically have access to the same files as you
|
||||
do. This is intentional and an additional security against unintended changes
|
||||
to your files that could theoretically result from running B<mmdebstrap> and
|
||||
package maintainer scripts. To copy files in and out of the chroot, either use
|
||||
globally readable or writable directories or use special hooks like B<copy-in>
|
||||
and B<copy-out>.
|
||||
|
||||
Besides the user namespace, the mount, pid (process ids), uts (hostname) and
|
||||
ipc namespaces will be unshared as well. See the man pages of B<namespaces(7)>
|
||||
and B<unshare(2)> as well as the manual pages they are linking to.
|
||||
|
||||
A directory chroot created with this mode will end up with wrong ownership
|
||||
information. For correct ownership information, the directory must be accessed
|
||||
from a user namespace with the right subuid/subgid offset, like so:
|
||||
information (seen from outside the unshared user namespace). For correct
|
||||
ownership information, the directory must be accessed from a user namespace
|
||||
with the right subuid/subgid offset, like so:
|
||||
|
||||
$ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
|
||||
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||
|
|
Loading…
Reference in a new issue