Nikos Chantziaras posted on Tue, 16 Mar 2010 13:01:38 +0200 as excerpted: > On 03/16/2010 11:23 AM, Sebastian Beßler wrote: >> Am 16.03.2010 02:56, schrieb Duncan: >> >>> I posted the link to the guide in the doomsday thread pretty much >>> concurrently to the discussion here, but for convenience, here's the >>> link: >>> >>> http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2 >> >> What I don't like with this guide is that you have to be root to chroot >> into and run the applications as root inside of the chroot. > > Wait a minute. You're telling me that all the people who posted that > they use chroot in order to have a "clean 64bit" system are actually > running all their 32bit application as root and still consider the > chroot a viable alternative to multilib? > > I have only one word to describe this: > > PHAIL.
Actually, neither the invoking nor the invoked side are root here. Here's how I handle it. 1) I use chroot's --userspec=UID:GID option so I end up as the specified user -- not root -- in the chroot. The guide doesn't mention this, unfortunately, but the chroot manpage does, and when I got tired of su-ing back to a normal user, it was easy enough to lookup, and then to change my invoking scripts, accordingly. =:^) 2) On the invoking side, I have sudo setup to authorize the specific linux32 chroot command used, so while it's executed as root, the user never sees it, and sudo can be set to only allow that specific command with those specific parameters (including the --userspec bit), so that bit's reasonably locked down. 3) Since the allowed command is a fixed string of some length, it makes sense to setup either a scriptlet or an alias, invoked with a much shorter command. Since in my case, the chroot is the image for my Acer Aspire One netbook, I use the scriptlet name "aastart". 4) I also scripted the chroot setup, called "aamount", that handles all the bind-mounts, etc, and have that invokable using sudo as well. I separated the setup from the actual chroot entry command as it can be useful to run multiple sessions, all in the same chroot. So I run the setup script once, and can then run aastart multiple times as desired. There's a similar "aaumount" script that tears down the setup, umounting all the mount-binds, etc. But you're right that the --userspec bit should really be documented in the guide. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman