public inbox for gentoo-amd64@lists.gentoo.org
 help / color / mirror / Atom feed
From: Duncan <1i5t5.duncan@cox.net>
To: gentoo-amd64@lists.gentoo.org
Subject: [gentoo-amd64] Re: Wine with no-multilib on AMD64
Date: Tue, 16 Mar 2010 12:50:41 +0000 (UTC)	[thread overview]
Message-ID: <pan.2010.03.16.12.50.40@cox.net> (raw)
In-Reply-To: hnnoee$834$1@dough.gmane.org

Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted:

> On 03/16/2010 11:23 AM, Sebastian Beßler wrote:
>> Am 16.03.2010 02:56, schrieb Duncan:
>>
>>> I posted the link to the guide in the doomsday thread pretty much
>>> concurrently to the discussion here, but for convenience, here's the
>>> link:
>>>
>>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2
>>
>> What I don't like with this guide is that you have to be root to chroot
>> into and run the applications as root inside of the chroot.
> 
> Wait a minute.  You're telling me that all the people who posted that
> they use chroot in order to have a "clean 64bit" system are actually
> running all their 32bit application as root and still consider the
> chroot a viable alternative to multilib?
> 
> I have only one word to describe this:
> 
> PHAIL.

Actually, neither the invoking nor the invoked side are root here.  Here's 
how I handle it.

1)  I use chroot's --userspec=UID:GID option so I end up as the specified 
user -- not root -- in the chroot.  The guide doesn't mention this, 
unfortunately, but the chroot manpage does, and when I got tired of su-ing 
back to a normal user, it was easy enough to lookup, and then to change my 
invoking scripts, accordingly. =:^)

2)  On the invoking side, I have sudo setup to authorize the specific 
linux32 chroot command used, so while it's executed as root, the user 
never sees it, and sudo can be set to only allow that specific command 
with those specific parameters (including the --userspec bit), so that 
bit's reasonably locked down.

3)  Since the allowed command is a fixed string of some length, it makes 
sense to setup either a scriptlet or an alias, invoked with a much shorter 
command.  Since in my case, the chroot is the image for my Acer Aspire One 
netbook, I use the scriptlet name "aastart".

4)  I also scripted the chroot setup, called "aamount", that handles all 
the bind-mounts, etc, and have that invokable using sudo as well.  I 
separated the setup from the actual chroot entry command as it can be 
useful to run multiple sessions, all in the same chroot.  So I run the 
setup script once, and can then run aastart multiple times as desired.  
There's a similar "aaumount" script that tears down the setup, umounting 
all the mount-binds, etc.

But you're right that the --userspec bit should really be documented in 
the guide.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman




  parent reply	other threads:[~2010-03-16 13:06 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-13 14:15 [gentoo-amd64] Wine with no-multilib on AMD64 Mansour Al Akeel
2010-03-13 15:29 ` Volker Armin Hemmann
2010-03-13 22:20   ` [gentoo-amd64] " Duncan
2010-03-13 23:27     ` Volker Armin Hemmann
2010-03-14  0:34       ` Duncan
2010-03-14  1:31         ` Nikos Chantziaras
2010-03-15 18:04     ` Mansour Al Akeel
2010-03-16  1:56       ` Duncan
2010-03-16  9:23         ` Sebastian Beßler
2010-03-16 11:01           ` Nikos Chantziaras
2010-03-16 12:15             ` Sebastian Beßler
2010-03-16 12:50             ` Duncan [this message]
2010-03-16 11:22           ` Alex Alexander
2010-03-16 12:27             ` [gentoo-amd64] Secure chroot (was: Re: Wine with no-multilib on AMD64) Sebastian Beßler
2010-03-16 13:25               ` [gentoo-amd64] " Duncan
2010-03-16 16:24                 ` Sebastian Beßler
2010-03-16 23:38                   ` Duncan
2010-03-17  1:33                     ` David Fellows
2010-03-16 13:48               ` [gentoo-amd64] " Alex Alexander
2010-03-16 14:54           ` [gentoo-amd64] Re: Wine with no-multilib on AMD64 Mansour Al Akeel
2010-03-16 14:51         ` Mansour Al Akeel
2010-03-16 21:18           ` Mansour Al Akeel
2010-03-16 23:47             ` Duncan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pan.2010.03.16.12.50.40@cox.net \
    --to=1i5t5.duncan@cox.net \
    --cc=gentoo-amd64@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox