From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Nrgkj-0002qe-DP for garchives@archives.gentoo.org; Wed, 17 Mar 2010 00:04:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3ECCE0C3A for ; Wed, 17 Mar 2010 00:04:48 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by pigeon.gentoo.org (Postfix) with ESMTP id 600ADE0B07 for ; Tue, 16 Mar 2010 23:39:02 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1NrgLk-0007na-P8 for gentoo-amd64@lists.gentoo.org; Wed, 17 Mar 2010 00:39:00 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 17 Mar 2010 00:39:00 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 17 Mar 2010 00:39:00 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-amd64@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-amd64] Re: Secure chroot (was: Re: Wine with no-multilib on AMD64) Date: Tue, 16 Mar 2010 23:38:49 +0000 (UTC) Message-ID: References: <20100313141534.GA7803@mars.lan> <201003161327.47162.sebastian@darkmetatron.de> <201003161724.55387.sebastian@darkmetatron.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.133 (House of Butterflies) Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 2711ce7f-876e-4518-9967-614be3f82252 X-Archives-Hash: 6704bd6e4cca4794f96df224a798d427 Sebastian Be=C3=9Fler posted on Tue, 16 Mar 2010 17:24:55 +0100 as excerp= ted: > Your way looks quite nice, I will look into it when I am back home. Btw= . > the ubuntu manpage of chroot (at work I use ubuntu) does not mention > --userspec (or maybe I am still to dumb to use man ;-) It's possible the --userspec option is relatively new to chroot, tho I'd=20 not expect so. FWIW I'm using ~amd64, so have never versions of a lot of= =20 packages than stable will. It's also possible that ubuntu is using an old (or possibly POSIX-only)=20 manpage. What does chroot --help list? Here, --userspec is the first=20 option listed (the other one besides help and version being --groups,=20 which takes a list of supplementary groups that the user will appear in,=20 while in the chroot). One thing that's unclear to me is whether the userspec and groups=20 parameters use the IDs from the running system or the chroot, tho I=20 suspect it's the running system (I started with the same passwd, etc file= s=20 in both, here, because as I said I need a full config for my usage and=20 that was most convenient). I did notice that I had to use the actual UID:GID numbers, altho the=20 manpage said names should work too. I figured that was due to some=20 vagaries of configuration, but finding and using the numbers was no big=20 deal, so I didn't worry about it. --=20 Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman