improve documentation of unshare mode

This commit is contained in:
Johannes Schauer Marin Rodrigues 2023-02-14 22:00:19 +01:00
parent 02769190ad
commit 46fc269b54
Signed by: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -6649,14 +6649,30 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
=item B<unshare> =item B<unshare>
This mode uses Linux user namespaces to allow unprivileged use of chroot and When used as a normal (not root) user, this mode uses Linux user namespaces to
creation of files that appear to be owned by the superuser inside the unshared allow unprivileged use of chroot and creation of files that appear to be owned
namespace. A tarball created in this mode should be bit-by-bit identical to a by the superuser inside the unshared namespace. A tarball created in this mode
tarball created with the B<root> mode. will be bit-by-bit identical to a tarball created with the B<root> mode. With
this mode, the only binaries that will run as the root user will be
B<newuidmap(1)> and B<newgidmap(1)> via their setuid bit. Running those
successfully requires F</etc/subuid> and F</etc/subgid> to have an entry for
your username. This entry was usually created by B<adduser(8)> already.
The unshared user will not automatically have access to the same files as you
do. This is intentional and an additional security against unintended changes
to your files that could theoretically result from running B<mmdebstrap> and
package maintainer scripts. To copy files in and out of the chroot, either use
globally readable or writable directories or use special hooks like B<copy-in>
and B<copy-out>.
Besides the user namespace, the mount, pid (process ids), uts (hostname) and
ipc namespaces will be unshared as well. See the man pages of B<namespaces(7)>
and B<unshare(2)> as well as the manual pages they are linking to.
A directory chroot created with this mode will end up with wrong ownership A directory chroot created with this mode will end up with wrong ownership
information. For correct ownership information, the directory must be accessed information (seen from outside the unshared user namespace). For correct
from a user namespace with the right subuid/subgid offset, like so: ownership information, the directory must be accessed from a user namespace
with the right subuid/subgid offset, like so:
$ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \ $ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
> /usr/sbin/chroot ./debian-rootfs /bin/bash > /usr/sbin/chroot ./debian-rootfs /bin/bash