Mailing List Archive

Sebastian Beßler posted on Tue, 16 Mar 2010 13:27:46 +0100 as excerpted:

> That is not really a solution, because all it need to be root again is a
> simple exit. And chroot-root can break out of the chroot without
> problem.

See the chroot --userspec option in its manpage...

> And you still need to be root to enter the chroot so you must always
> type in your root password to start a simple app, even if you drop root
> inside the chroot.

Not if you have sudo configured properly. Then the user uses their normal
password, or none, if sudo is set for no password verification for that
command. And since sudo is configurable per command including the passed
parameters, it's possible to specifically allow only the single command

"sudo linux32 chroot --userspec=xxx:yyy /mnt/point /bin/bash"

... and to configure it to require, or not require, entering the user
password, as desired. (FWIW, sudo can also be configured to require the
changed /to/ user's password, instead of the changed /from/ user's
password, so to require root's password here since it's root we're
changing to, to do the chroot, but that's a global setting that would
apply to all sudo usage on the system, while the require a password or not
setting is per configured allowed command or group of commands.)

> So this is nothing more then a really fragile hack, to me at last.

I won't argue that it's not a hack, but it isn't really more so, or more
fragile, IMO, than the whole multilib thing. And it does keep the 32-bit
and 64-bit sides better separated. So pick your hack. =:^)

--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman

On Tue, Mar 16, 2010 at 01:27:46PM +0100, Sebastian Beßler wrote:
> Am Dienstag, 16. März 2010 12:22:56 schrieb Alex Alexander:
> > On Tue, Mar 16, 2010 at 10:23:06AM +0100, Sebastian Beßler wrote:
> > > Am 16.03.2010 02:56, schrieb Duncan:
> > > > I posted the link to the guide in the doomsday thread pretty much
> > > > concurrently to the discussion here, but for convenience, here's the
> > > > link:
> > > >
> > > > http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2
> > >
> > > What I don't like with this guide is that you have to be root to chroot
> > > into and run the applications as root inside of the chroot.
> >
> > You don't need to be root in the chroot to run applications. Just create
> > a user in the chroot and switch:
> >
> > su - youruser
>
> That is not really a solution, because all it need to be root again is a
> simple exit. And chroot-root can break out of the chroot without problem.
>
> And you still need to be root to enter the chroot so you must always type in
> your root password to start a simple app, even if you drop root inside the
> chroot. So this is nothing more then a really fragile hack, to me at last.
>
> Greetings
>
> Sebastian

I have a script that runs su - wired and I run that instead of /bin/bash
(in my chroot script after all the necessary mounting, ofcourse)

sudo chroot my_chroot /usr/local/bin/init_chroot_wired

that script ends with an "exit"

### /usr/local/bin/init_chroot_wired in my chroot ###

#!/bin/bash
env-update
source /etc/profile
su - wired
exit

so when I exit the chroot it dies instead of dropping me to the root
chroot shell.

--
Alex Alexander :: wired
Gentoo Developer
www.linuxized.com

Am Dienstag, 16. März 2010 14:25:46 schrieb Duncan:

> I won't argue that it's not a hack, but it isn't really more so, or more
> fragile, IMO, than the whole multilib thing. And it does keep the 32-bit
> and 64-bit sides better separated. So pick your hack. =:^)

With hack I had "su - youruser" in mind.

Your way looks quite nice, I will look into it when I am back home.
Btw. the ubuntu manpage of chroot (at work I use ubuntu) does not mention
--userspec (or maybe I am still to dumb to use man ;-)

Alex tipp is interessting too, thx for that.

Greetings

Sebastian

Sebastian Beßler posted on Tue, 16 Mar 2010 17:24:55 +0100 as excerpted:

> Your way looks quite nice, I will look into it when I am back home. Btw.
> the ubuntu manpage of chroot (at work I use ubuntu) does not mention
> --userspec (or maybe I am still to dumb to use man ;-)

It's possible the --userspec option is relatively new to chroot, tho I'd
not expect so. FWIW I'm using ~amd64, so have never versions of a lot of
packages than stable will.

It's also possible that ubuntu is using an old (or possibly POSIX-only)
manpage. What does chroot --help list? Here, --userspec is the first
option listed (the other one besides help and version being --groups,
which takes a list of supplementary groups that the user will appear in,
while in the chroot).

One thing that's unclear to me is whether the userspec and groups
parameters use the IDs from the running system or the chroot, tho I
suspect it's the running system (I started with the same passwd, etc files
in both, here, because as I said I need a full config for my usage and
that was most convenient).

I did notice that I had to use the actual UID:GID numbers, altho the
manpage said names should work too. I figured that was due to some
vagaries of configuration, but finding and using the numbers was no big
deal, so I didn't worry about it.

--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman

On Tue, 16 Mar 2010 23:38:49 +0000 (UTC)
Duncan wrote -
>
> It's possible the --userspec option is relatively new to chroot, tho I'd=20
> not expect so. FWIW I'm using ~amd64, so have never versions of a lot of=
> =20
> packages than stable will.

Ubuntu Karmic Koala provides coreutiils-7.4 which does not have --userspec
Gentoo stable provides -7.5 which does have it
Gentoo unstable provides -8.4

Dave F