From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NrXMX-0004xF-LS for garchives@archives.gentoo.org; Tue, 16 Mar 2010 14:03:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4C17EE0C23 for ; Tue, 16 Mar 2010 14:03:13 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by pigeon.gentoo.org (Postfix) with ESMTP id 0B797E0B9F for ; Tue, 16 Mar 2010 13:26:05 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1NrWmW-0001VC-PQ for gentoo-amd64@lists.gentoo.org; Tue, 16 Mar 2010 14:26:00 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 16 Mar 2010 14:26:00 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 16 Mar 2010 14:26:00 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-amd64@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-amd64] Re: Secure chroot (was: Re: Wine with no-multilib on AMD64) Date: Tue, 16 Mar 2010 13:25:46 +0000 (UTC) Message-ID: References: <20100313141534.GA7803@mars.lan> <4B9F4DFA.6000904@darkmetatron.de> <20100316112256.GA14328@fury.skynet> <201003161327.47162.sebastian@darkmetatron.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.133 (House of Butterflies) Content-Transfer-Encoding: quoted-printable X-Archives-Salt: bf0e09f0-e012-4b67-a958-611ccdfa5f88 X-Archives-Hash: 9a06d553460d398688d96dd603e24d31 Sebastian Be=C3=9Fler posted on Tue, 16 Mar 2010 13:27:46 +0100 as excerp= ted: > That is not really a solution, because all it need to be root again is = a > simple exit. And chroot-root can break out of the chroot without > problem. See the chroot --userspec option in its manpage... > And you still need to be root to enter the chroot so you must always > type in your root password to start a simple app, even if you drop root > inside the chroot. Not if you have sudo configured properly. Then the user uses their norma= l=20 password, or none, if sudo is set for no password verification for that=20 command. And since sudo is configurable per command including the passed= =20 parameters, it's possible to specifically allow only the single command "sudo linux32 chroot --userspec=3Dxxx:yyy /mnt/point /bin/bash" ... and to configure it to require, or not require, entering the user=20 password, as desired. (FWIW, sudo can also be configured to require the=20 changed /to/ user's password, instead of the changed /from/ user's=20 password, so to require root's password here since it's root we're=20 changing to, to do the chroot, but that's a global setting that would=20 apply to all sudo usage on the system, while the require a password or no= t=20 setting is per configured allowed command or group of commands.) > So this is nothing more then a really fragile hack, to me at last. I won't argue that it's not a hack, but it isn't really more so, or more=20 fragile, IMO, than the whole multilib thing. And it does keep the 32-bit= =20 and 64-bit sides better separated. So pick your hack. =3D:^) --=20 Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman