Colin Walters <walters verbum org> writes: > Just to follow up: > > Option list in what I see as ascending order of difficulty: > > 0) Don't use vServer on the build machine - use virtualization or > baremetal. We have almost everything inside vServer containers at Igalia... not an option for me right now :-/ > 1) Run ostbuild as uid 0 inside the vServer; write a tool that accepts > the same options as linux-user-chroot, but doesn't try to use any > container features like CLONE_NEWNET or set PR_SET_NO_NEW_PRIVS. > We just need chroot and bind mounts. The tool wouldn't have to be > setuid. > 2) Like #1, except try to make the build run as non-root too. > This is clearly better, but may involve patching vServer so it > works better with linux-user-chroot. The later is the better, IMHO. Doing setuid/setgid inside vServer containers is possible as long as CAP_SETUID and CAP_SETGID are listed as allowed capabilities in the configuration. No patching needed. Please take a look at my previous mail on this subject, I am proposing to do something in the lines of your #2 idea above. Regards, -- Adrian Perez <aperez igalia com> - Sent from my toaster Igalia - Free Software Engineering
Attachment:
pgp7gDIXjoaAe.pgp
Description: PGP signature