runsc: Run sandbox as user nobody.

When starting a sandbox without direct file or network access, we create an
empty user namespace and run the sandbox in there.  However, the root user in
that namespace is still mapped to the root user in the parent namespace.

This CL maps the "nobody" user from the parent namespace into the child
namespace, and runs the sandbox process as user "nobody" inside the new
namespace.

PiperOrigin-RevId: 211572223
Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6

1 files changed, 4 insertions, 3 deletions

diff --git a/README.md b/README.md
index 4ec83ab0c..d85948ce5 100644
--- a/README.md
+++ b/README.md
@@ -179,14 +179,15 @@ here:
 `https://storage.googleapis.com/gvisor/releases/nightly/${yyyy-mm-dd}/runsc.sha512`
 
 **It is important to copy this binary to some place that is accessible to all
-users**, since `runsc` executes itself as user `nobody` to avoid unnecessary
-privileges. The `/usr/local/bin` directory is a good choice.
+users, and make is executable to all users**, since `runsc` executes itself as
+user `nobody` to avoid unnecessary privileges. The `/usr/local/bin` directory is
+a good place to put the `runsc` binary.
 
 ```
 wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
 wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
 sha512sum -c runsc.sha512
-chmod +x runsc
+chmod a+x runsc
 sudo mv runsc /usr/local/bin
 ```