Provided by: linux-user-chroot_2013.1-2_amd64 bug


       linux-user-chroot - safely allow normal users to chroot


       linux-user-chroot   [--unshare-ipc]  [--unshare-pid]  [--unshare-net]  [--mount-proc  DIR]
       [--mount-readonly DIR] [--mount-bind SOURCE DEST] [--chdir DIR] ROOTDIR PROGRAM ARGS...


       linux-user-chroot is a tool meant for building software in a clean environment.  The  user
       needs  to  create a directory tree with the build dependencies needed, and only those, and
       then linux-user-chroot runs the actual build commands such that the commands only see  the
       directory tree.  This is useful for ensuring the build gets the right version of its build
       dependencies, for example.

       linux-user-chroot works similary to chroot(8), but does not require  the  caller  to  have
       root  privileges.  It uses Linux containers to restrict the chroot to make this safe.  The
       command run inside the chroot is run as the calling user, not as root.

       linux-user-chroot executes a command, and sets the root directory for the command  to  the
       directory specified by the user (ROOTDIR).  Additionally, it creates a "nosuid" bind mount
       over the root filesystem, to prevent  the  build  from  gaining  privileges  using  setuid
       binaries.  The command can further be restricted from accessing the network, and it can be
       set up with new process ID and SysV IPC namespaces.


              Create a new SysV IPC namespace for the command.

              Create a new process ID (PID) namespace for the command.  This prevents the command
              from  seeing  any other processes in the system, except itself and the processes it
              itself creates.

              Create a new, empty networking stack.  This prevents the  command  from  using  any
              networking, including loopback.

       --mount-proc DIR
              Mount the proc filesystem at DIR.

       --mount-readonly DIR
              Make DIR be read-only for the command.

       --mount-bind SOURCE DEST
              Add a bind mount while the command is executing.

       --chdir DIR
              After  setting  the  new root directory for the command, change the current working
              directory to be DIR.


       The exit status is the exit status of the executed  command,  or  1  if  linux-user-chroot
       failed to execute the command.


       To build software in the real system, but without networking:

              linux-user-chroot --unshare-net --chdir "$(pwd)"
              make clean all check