From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-amd64+bounces-12523-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1NrXNt-00059T-KT
	for garchives@archives.gentoo.org; Tue, 16 Mar 2010 14:04:37 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3B5C1E0C34
	for <garchives@archives.gentoo.org>; Tue, 16 Mar 2010 14:04:37 +0000 (UTC)
Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210])
	by pigeon.gentoo.org (Postfix) with ESMTP id 04D87E0B53
	for <gentoo-amd64@lists.gentoo.org>; Tue, 16 Mar 2010 13:47:05 +0000 (UTC)
Received: by fxm2 with SMTP id 2so651526fxm.26
        for <gentoo-amd64@lists.gentoo.org>; Tue, 16 Mar 2010 06:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:sender:date:from:to:subject
         :message-id:references:mime-version:content-type:content-disposition
         :in-reply-to:user-agent;
        bh=6TZOVJ5E9eiiy7ItdMMgm+prqv9E9JUzPmumb1chLyg=;
        b=YuKaqLwNd/ttYmwn9R59RU4RCU33McrB0rOSzYVbfdOV3LhGvZupM0pKa9wL1BTwDx
         QwMVlrspPlAjyLkNdE0cHF/DMIIBgIazdgVPP/ehKfuselajw2LvLkW6ntHDgj9Y/1wo
         dnpNRCwaFw3blW5+4Kdrhko7Vdt1h3BsPuUWw=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=sender:date:from:to:subject:message-id:references:mime-version
         :content-type:content-disposition:in-reply-to:user-agent;
        b=nb+A7TbePd0wUW+yj3oIlo/R1usxSN3IHGJxE5dOFCuOyJiOaDKhreelHrgWfL5RDc
         pV+cvbgu3pcfsoNMlktDeGOrbttHYOQ8n/6ZYG+NoWENk+SfQu75HnB21/ii2okzBXEm
         +vjm5fEuOemFwZdXolecCrQIy008XXntvbFfM=
Received: by 10.223.76.74 with SMTP id b10mr768876fak.55.1268747218411;
        Tue, 16 Mar 2010 06:46:58 -0700 (PDT)
Received: from fury.skynet (athedsl-287545.home.otenet.gr [85.73.170.215])
        by mx.google.com with ESMTPS id k29sm963929fkk.45.2010.03.16.06.46.56
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 16 Mar 2010 06:46:57 -0700 (PDT)
Sender: Alex Alexander <alex.alexander@gmail.com>
Date: Tue, 16 Mar 2010 15:48:20 +0200
From: Alex Alexander <wired@gentoo.org>
To: gentoo-amd64@lists.gentoo.org
Subject: Re: [gentoo-amd64] Secure chroot (was: Re: Wine with no-multilib
 on AMD64)
Message-ID: <20100316134819.GB14328@fury.skynet>
References: <20100313141534.GA7803@mars.lan>
 <4B9F4DFA.6000904@darkmetatron.de>
 <20100316112256.GA14328@fury.skynet>
 <201003161327.47162.sebastian@darkmetatron.de>
Precedence: bulk
List-Post: <mailto:gentoo-amd64@lists.gentoo.org>
List-Help: <mailto:gentoo-amd64+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-amd64+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-amd64+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-amd64.gentoo.org>
X-BeenThere: gentoo-amd64@lists.gentoo.org
Reply-to: gentoo-amd64@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="A6N2fC+uXW/VQSAv"
Content-Disposition: inline
In-Reply-To: <201003161327.47162.sebastian@darkmetatron.de>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Archives-Salt: f6504126-ccc2-4f1c-b194-0bc4b44c861d
X-Archives-Hash: 50bcbb2eb0336a2f38cf61c738f5314e


--A6N2fC+uXW/VQSAv
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 16, 2010 at 01:27:46PM +0100, Sebastian Be=DFler wrote:
> Am Dienstag, 16. M=E4rz 2010 12:22:56 schrieb Alex Alexander:
> > On Tue, Mar 16, 2010 at 10:23:06AM +0100, Sebastian Be=DFler wrote:
> > > Am 16.03.2010 02:56, schrieb Duncan:
> > > > I posted the link to the guide in the doomsday thread pretty much
> > > > concurrently to the discussion here, but for convenience, here's the
> > > > link:
> > > >=20
> > > > http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=3D1&=
chap=3D2
> > >=20
> > > What I don't like with this guide is that you have to be root to chro=
ot
> > > into and run the applications as root inside of the chroot.
> >=20
> > You don't need to be root in the chroot to run applications. Just create
> > a user in the chroot and switch:
> >=20
> > su - youruser
>=20
> That is not really a solution, because all it need to be root again is a=
=20
> simple exit.  And chroot-root can break out of the chroot without problem=
=2E=20
>=20
> And you still need to be root to enter the chroot so you must always type=
 in=20
> your root password to start a simple app, even if you drop root inside th=
e=20
> chroot. So this is nothing more then a really fragile hack, to me at last.
>=20
> Greetings
>=20
> Sebastian

I have a script that runs su - wired and I run that instead of /bin/bash
(in my chroot script after all the necessary mounting, ofcourse)

	sudo chroot my_chroot /usr/local/bin/init_chroot_wired

that script ends with an "exit"

	### /usr/local/bin/init_chroot_wired in my chroot ###

	#!/bin/bash
	env-update
	source /etc/profile
	su - wired
	exit

so when I exit the chroot it dies instead of dropping me to the root
chroot shell.

--=20
Alex Alexander :: wired
Gentoo Developer
www.linuxized.com

--A6N2fC+uXW/VQSAv
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkufjCMACgkQCtniI/gSTSd1nQCeNcHv0dSoz5AfhHRLhfywkEeU
nwcAn2ImIm5VXpfM4htz8EPSJhBZD5c1
=e1Fd
-----END PGP SIGNATURE-----

--A6N2fC+uXW/VQSAv--