| 1 |
Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted: |
| 2 |
|
| 3 |
> On 03/16/2010 11:23 AM, Sebastian Beßler wrote: |
| 4 |
>> Am 16.03.2010 02:56, schrieb Duncan: |
| 5 |
>> |
| 6 |
>>> I posted the link to the guide in the doomsday thread pretty much |
| 7 |
>>> concurrently to the discussion here, but for convenience, here's the |
| 8 |
>>> link: |
| 9 |
>>> |
| 10 |
>>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2 |
| 11 |
>> |
| 12 |
>> What I don't like with this guide is that you have to be root to chroot |
| 13 |
>> into and run the applications as root inside of the chroot. |
| 14 |
> |
| 15 |
> Wait a minute. You're telling me that all the people who posted that |
| 16 |
> they use chroot in order to have a "clean 64bit" system are actually |
| 17 |
> running all their 32bit application as root and still consider the |
| 18 |
> chroot a viable alternative to multilib? |
| 19 |
> |
| 20 |
> I have only one word to describe this: |
| 21 |
> |
| 22 |
> PHAIL. |
| 23 |
|
| 24 |
Actually, neither the invoking nor the invoked side are root here. Here's |
| 25 |
how I handle it. |
| 26 |
|
| 27 |
1) I use chroot's --userspec=UID:GID option so I end up as the specified |
| 28 |
user -- not root -- in the chroot. The guide doesn't mention this, |
| 29 |
unfortunately, but the chroot manpage does, and when I got tired of su-ing |
| 30 |
back to a normal user, it was easy enough to lookup, and then to change my |
| 31 |
invoking scripts, accordingly. =:^) |
| 32 |
|
| 33 |
2) On the invoking side, I have sudo setup to authorize the specific |
| 34 |
linux32 chroot command used, so while it's executed as root, the user |
| 35 |
never sees it, and sudo can be set to only allow that specific command |
| 36 |
with those specific parameters (including the --userspec bit), so that |
| 37 |
bit's reasonably locked down. |
| 38 |
|
| 39 |
3) Since the allowed command is a fixed string of some length, it makes |
| 40 |
sense to setup either a scriptlet or an alias, invoked with a much shorter |
| 41 |
command. Since in my case, the chroot is the image for my Acer Aspire One |
| 42 |
netbook, I use the scriptlet name "aastart". |
| 43 |
|
| 44 |
4) I also scripted the chroot setup, called "aamount", that handles all |
| 45 |
the bind-mounts, etc, and have that invokable using sudo as well. I |
| 46 |
separated the setup from the actual chroot entry command as it can be |
| 47 |
useful to run multiple sessions, all in the same chroot. So I run the |
| 48 |
setup script once, and can then run aastart multiple times as desired. |
| 49 |
There's a similar "aaumount" script that tears down the setup, umounting |
| 50 |
all the mount-binds, etc. |
| 51 |
|
| 52 |
But you're right that the --userspec bit should really be documented in |
| 53 |
the guide. |
| 54 |
|
| 55 |
-- |
| 56 |
Duncan - List replies preferred. No HTML msgs. |
| 57 |
"Every nonfree program has a lord, a master -- |
| 58 |
and if you use the program, he is your master." Richard Stallman |
Archives