Provided by: linux-user-chroot_2013.1-2_amd64
linux-user-chroot - safely allow normal users to chroot
linux-user-chroot [--unshare-ipc] [--unshare-pid] [--unshare-net] [--mount-proc DIR] [--mount-readonly DIR] [--mount-bind SOURCE DEST] [--chdir DIR] ROOTDIR PROGRAM ARGS...
linux-user-chroot is a tool meant for building software in a clean environment. The user needs to create a directory tree with the build dependencies needed, and only those, and then linux-user-chroot runs the actual build commands such that the commands only see the directory tree. This is useful for ensuring the build gets the right version of its build dependencies, for example. linux-user-chroot works similary to chroot(8), but does not require the caller to have root privileges. It uses Linux containers to restrict the chroot to make this safe. The command run inside the chroot is run as the calling user, not as root. linux-user-chroot executes a command, and sets the root directory for the command to the directory specified by the user (ROOTDIR). Additionally, it creates a "nosuid" bind mount over the root filesystem, to prevent the build from gaining privileges using setuid binaries. The command can further be restricted from accessing the network, and it can be set up with new process ID and SysV IPC namespaces.
--unshare-ipc Create a new SysV IPC namespace for the command. --unshare-pid Create a new process ID (PID) namespace for the command. This prevents the command from seeing any other processes in the system, except itself and the processes it itself creates. --unshare-net Create a new, empty networking stack. This prevents the command from using any networking, including loopback. --mount-proc DIR Mount the proc filesystem at DIR. --mount-readonly DIR Make DIR be read-only for the command. --mount-bind SOURCE DEST Add a bind mount while the command is executing. --chdir DIR After setting the new root directory for the command, change the current working directory to be DIR.
The exit status is the exit status of the executed command, or 1 if linux-user-chroot failed to execute the command.
To build software in the real system, but without networking: linux-user-chroot --unshare-net --chdir "$(pwd)" make clean all check