1 |
Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted: |
2 |
|
3 |
> On 03/16/2010 11:23 AM, Sebastian Beßler wrote: |
4 |
>> Am 16.03.2010 02:56, schrieb Duncan: |
5 |
>> |
6 |
>>> I posted the link to the guide in the doomsday thread pretty much |
7 |
>>> concurrently to the discussion here, but for convenience, here's the |
8 |
>>> link: |
9 |
>>> |
10 |
>>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2 |
11 |
>> |
12 |
>> What I don't like with this guide is that you have to be root to chroot |
13 |
>> into and run the applications as root inside of the chroot. |
14 |
> |
15 |
> Wait a minute. You're telling me that all the people who posted that |
16 |
> they use chroot in order to have a "clean 64bit" system are actually |
17 |
> running all their 32bit application as root and still consider the |
18 |
> chroot a viable alternative to multilib? |
19 |
> |
20 |
> I have only one word to describe this: |
21 |
> |
22 |
> PHAIL. |
23 |
|
24 |
Actually, neither the invoking nor the invoked side are root here. Here's |
25 |
how I handle it. |
26 |
|
27 |
1) I use chroot's --userspec=UID:GID option so I end up as the specified |
28 |
user -- not root -- in the chroot. The guide doesn't mention this, |
29 |
unfortunately, but the chroot manpage does, and when I got tired of su-ing |
30 |
back to a normal user, it was easy enough to lookup, and then to change my |
31 |
invoking scripts, accordingly. =:^) |
32 |
|
33 |
2) On the invoking side, I have sudo setup to authorize the specific |
34 |
linux32 chroot command used, so while it's executed as root, the user |
35 |
never sees it, and sudo can be set to only allow that specific command |
36 |
with those specific parameters (including the --userspec bit), so that |
37 |
bit's reasonably locked down. |
38 |
|
39 |
3) Since the allowed command is a fixed string of some length, it makes |
40 |
sense to setup either a scriptlet or an alias, invoked with a much shorter |
41 |
command. Since in my case, the chroot is the image for my Acer Aspire One |
42 |
netbook, I use the scriptlet name "aastart". |
43 |
|
44 |
4) I also scripted the chroot setup, called "aamount", that handles all |
45 |
the bind-mounts, etc, and have that invokable using sudo as well. I |
46 |
separated the setup from the actual chroot entry command as it can be |
47 |
useful to run multiple sessions, all in the same chroot. So I run the |
48 |
setup script once, and can then run aastart multiple times as desired. |
49 |
There's a similar "aaumount" script that tears down the setup, umounting |
50 |
all the mount-binds, etc. |
51 |
|
52 |
But you're right that the --userspec bit should really be documented in |
53 |
the guide. |
54 |
|
55 |
-- |
56 |
Duncan - List replies preferred. No HTML msgs. |
57 |
"Every nonfree program has a lord, a master -- |
58 |
and if you use the program, he is your master." Richard Stallman |