Provided by: linux-user-chroot_2013.1-2_i386 bug


       linux-user-chroot - safely allow normal users to chroot


       linux-user-chroot   [--unshare-ipc]   [--unshare-pid]   [--unshare-net]
       [--mount-proc DIR] [--mount-readonly DIR]  [--mount-bind  SOURCE  DEST]
       [--chdir DIR] ROOTDIR PROGRAM ARGS...


       linux-user-chroot  is  a  tool  meant  for building software in a clean
       environment.  The user needs to create a directory tree with the  build
       dependencies  needed,  and  only those, and then linux-user-chroot runs
       the actual build commands such that the commands only see the directory
       tree.   This is useful for ensuring the build gets the right version of
       its build dependencies, for example.

       linux-user-chroot works similary to chroot(8), but does not require the
       caller  to  have root privileges.  It uses Linux containers to restrict
       the chroot to make this safe.  The command run inside the chroot is run
       as the calling user, not as root.

       linux-user-chroot  executes  a command, and sets the root directory for
       the  command  to  the  directory  specified  by  the  user   (ROOTDIR).
       Additionally,   it   creates  a  "nosuid"  bind  mount  over  the  root
       filesystem, to prevent the build from gaining privileges  using  setuid
       binaries.   The  command  can  further be restricted from accessing the
       network, and it can be  set  up  with  new  process  ID  and  SysV  IPC


              Create a new SysV IPC namespace for the command.

              Create  a  new process ID (PID) namespace for the command.  This
              prevents the command from seeing  any  other  processes  in  the
              system, except itself and the processes it itself creates.

              Create a new, empty networking stack.  This prevents the command
              from using any networking, including loopback.

       --mount-proc DIR
              Mount the proc filesystem at DIR.

       --mount-readonly DIR
              Make DIR be read-only for the command.

       --mount-bind SOURCE DEST
              Add a bind mount while the command is executing.

       --chdir DIR
              After setting the new root directory for the command, change the
              current working directory to be DIR.


       The  exit  status  is  the exit status of the executed command, or 1 if
       linux-user-chroot failed to execute the command.


       To build software in the real system, but without networking:

              linux-user-chroot --unshare-net --chdir "$(pwd)"
              make clean all check