From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NrWTB-0006km-KX for garchives@archives.gentoo.org; Tue, 16 Mar 2010 13:06:11 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DC417E0AD7 for ; Tue, 16 Mar 2010 13:06:00 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by pigeon.gentoo.org (Postfix) with ESMTP id 59B3AE0760 for ; Tue, 16 Mar 2010 12:50:54 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1NrWEU-0005xm-Vi for gentoo-amd64@lists.gentoo.org; Tue, 16 Mar 2010 13:50:50 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 16 Mar 2010 13:50:50 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 16 Mar 2010 13:50:50 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-amd64@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-amd64] Re: Wine with no-multilib on AMD64 Date: Tue, 16 Mar 2010 12:50:41 +0000 (UTC) Message-ID: References: <20100313141534.GA7803@mars.lan> <201003131629.06701.volkerarmin@googlemail.com> <20100315180447.GB8561@mars.lan> <4B9F4DFA.6000904@darkmetatron.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.133 (House of Butterflies) Content-Transfer-Encoding: quoted-printable X-Archives-Salt: bc49b33b-897d-4e88-9609-1e50ca561763 X-Archives-Hash: 82fbf509af17ea84b1df5f36a5c29dd8 Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted: > On 03/16/2010 11:23 AM, Sebastian Be=C3=9Fler wrote: >> Am 16.03.2010 02:56, schrieb Duncan: >> >>> I posted the link to the guide in the doomsday thread pretty much >>> concurrently to the discussion here, but for convenience, here's the >>> link: >>> >>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=3D1&ch= ap=3D2 >> >> What I don't like with this guide is that you have to be root to chroo= t >> into and run the applications as root inside of the chroot. >=20 > Wait a minute. You're telling me that all the people who posted that > they use chroot in order to have a "clean 64bit" system are actually > running all their 32bit application as root and still consider the > chroot a viable alternative to multilib? >=20 > I have only one word to describe this: >=20 > PHAIL. Actually, neither the invoking nor the invoked side are root here. Here'= s=20 how I handle it. 1) I use chroot's --userspec=3DUID:GID option so I end up as the specifi= ed=20 user -- not root -- in the chroot. The guide doesn't mention this,=20 unfortunately, but the chroot manpage does, and when I got tired of su-in= g=20 back to a normal user, it was easy enough to lookup, and then to change m= y=20 invoking scripts, accordingly. =3D:^) 2) On the invoking side, I have sudo setup to authorize the specific=20 linux32 chroot command used, so while it's executed as root, the user=20 never sees it, and sudo can be set to only allow that specific command=20 with those specific parameters (including the --userspec bit), so that=20 bit's reasonably locked down. 3) Since the allowed command is a fixed string of some length, it makes=20 sense to setup either a scriptlet or an alias, invoked with a much shorte= r=20 command. Since in my case, the chroot is the image for my Acer Aspire On= e=20 netbook, I use the scriptlet name "aastart". 4) I also scripted the chroot setup, called "aamount", that handles all=20 the bind-mounts, etc, and have that invokable using sudo as well. I=20 separated the setup from the actual chroot entry command as it can be=20 useful to run multiple sessions, all in the same chroot. So I run the=20 setup script once, and can then run aastart multiple times as desired. =20 There's a similar "aaumount" script that tears down the setup, umounting=20 all the mount-binds, etc. But you're right that the --userspec bit should really be documented in=20 the guide. --=20 Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman