From: Duncan <1i5t5.duncan@cox.net>
To: gentoo-amd64@lists.gentoo.org
Subject: [gentoo-amd64] Re: Wine with no-multilib on AMD64
Date: Tue, 16 Mar 2010 12:50:41 +0000 (UTC) [thread overview]
Message-ID: <pan.2010.03.16.12.50.40@cox.net> (raw)
In-Reply-To: hnnoee$834$1@dough.gmane.org
Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted:
> On 03/16/2010 11:23 AM, Sebastian Beßler wrote:
>> Am 16.03.2010 02:56, schrieb Duncan:
>>
>>> I posted the link to the guide in the doomsday thread pretty much
>>> concurrently to the discussion here, but for convenience, here's the
>>> link:
>>>
>>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2
>>
>> What I don't like with this guide is that you have to be root to chroot
>> into and run the applications as root inside of the chroot.
>
> Wait a minute. You're telling me that all the people who posted that
> they use chroot in order to have a "clean 64bit" system are actually
> running all their 32bit application as root and still consider the
> chroot a viable alternative to multilib?
>
> I have only one word to describe this:
>
> PHAIL.
Actually, neither the invoking nor the invoked side are root here. Here's
how I handle it.
1) I use chroot's --userspec=UID:GID option so I end up as the specified
user -- not root -- in the chroot. The guide doesn't mention this,
unfortunately, but the chroot manpage does, and when I got tired of su-ing
back to a normal user, it was easy enough to lookup, and then to change my
invoking scripts, accordingly. =:^)
2) On the invoking side, I have sudo setup to authorize the specific
linux32 chroot command used, so while it's executed as root, the user
never sees it, and sudo can be set to only allow that specific command
with those specific parameters (including the --userspec bit), so that
bit's reasonably locked down.
3) Since the allowed command is a fixed string of some length, it makes
sense to setup either a scriptlet or an alias, invoked with a much shorter
command. Since in my case, the chroot is the image for my Acer Aspire One
netbook, I use the scriptlet name "aastart".
4) I also scripted the chroot setup, called "aamount", that handles all
the bind-mounts, etc, and have that invokable using sudo as well. I
separated the setup from the actual chroot entry command as it can be
useful to run multiple sessions, all in the same chroot. So I run the
setup script once, and can then run aastart multiple times as desired.
There's a similar "aaumount" script that tears down the setup, umounting
all the mount-binds, etc.
But you're right that the --userspec bit should really be documented in
the guide.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
next prev parent reply other threads:[~2010-03-16 13:06 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-13 14:15 [gentoo-amd64] Wine with no-multilib on AMD64 Mansour Al Akeel
2010-03-13 15:29 ` Volker Armin Hemmann
2010-03-13 22:20 ` [gentoo-amd64] " Duncan
2010-03-13 23:27 ` Volker Armin Hemmann
2010-03-14 0:34 ` Duncan
2010-03-14 1:31 ` Nikos Chantziaras
2010-03-15 18:04 ` Mansour Al Akeel
2010-03-16 1:56 ` Duncan
2010-03-16 9:23 ` Sebastian Beßler
2010-03-16 11:01 ` Nikos Chantziaras
2010-03-16 12:15 ` Sebastian Beßler
2010-03-16 12:50 ` Duncan [this message]
2010-03-16 11:22 ` Alex Alexander
2010-03-16 12:27 ` [gentoo-amd64] Secure chroot (was: Re: Wine with no-multilib on AMD64) Sebastian Beßler
2010-03-16 13:25 ` [gentoo-amd64] " Duncan
2010-03-16 16:24 ` Sebastian Beßler
2010-03-16 23:38 ` Duncan
2010-03-17 1:33 ` David Fellows
2010-03-16 13:48 ` [gentoo-amd64] " Alex Alexander
2010-03-16 14:54 ` [gentoo-amd64] Re: Wine with no-multilib on AMD64 Mansour Al Akeel
2010-03-16 14:51 ` Mansour Al Akeel
2010-03-16 21:18 ` Mansour Al Akeel
2010-03-16 23:47 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pan.2010.03.16.12.50.40@cox.net \
--to=1i5t5.duncan@cox.net \
--cc=gentoo-amd64@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox