bionic (8) linux-user-chroot.8.gz

Provided by: linux-user-chroot_2013.1-2build1_amd64 bug

NAME
       linux-user-chroot - safely allow normal users to chroot


SYNOPSIS
       linux-user-chroot  [--unshare-ipc]  [--unshare-pid]  [--unshare-net] [--mount-proc DIR] [--mount-readonly
       DIR] [--mount-bind SOURCE DEST] [--chdir DIR] ROOTDIR PROGRAM ARGS...


DESCRIPTION
       linux-user-chroot is a tool meant for building software in a clean environment.  The user needs to create
       a  directory tree with the build dependencies needed, and only those, and then linux-user-chroot runs the
       actual build commands such that the commands only see the directory tree.  This is  useful  for  ensuring
       the build gets the right version of its build dependencies, for example.

       linux-user-chroot  works  similary to chroot(8), but does not require the caller to have root privileges.
       It uses Linux containers to restrict the chroot to make this safe.  The command run inside the chroot  is
       run as the calling user, not as root.

       linux-user-chroot  executes  a  command,  and  sets  the  root directory for the command to the directory
       specified by the user  (ROOTDIR).   Additionally,  it  creates  a  "nosuid"  bind  mount  over  the  root
       filesystem,  to prevent the build from gaining privileges using setuid binaries.  The command can further
       be restricted from accessing the network, and it can  be  set  up  with  new  process  ID  and  SysV  IPC
       namespaces.


OPTIONS
       --unshare-ipc
              Create a new SysV IPC namespace for the command.

       --unshare-pid
              Create  a  new  process ID (PID) namespace for the command.  This prevents the command from seeing
              any other processes in the system, except itself and the processes it itself creates.

       --unshare-net
              Create a new, empty networking stack.  This  prevents  the  command  from  using  any  networking,
              including loopback.

       --mount-proc DIR
              Mount the proc filesystem at DIR.

       --mount-readonly DIR
              Make DIR be read-only for the command.

       --mount-bind SOURCE DEST
              Add a bind mount while the command is executing.

       --chdir DIR
              After  setting  the new root directory for the command, change the current working directory to be
              DIR.


EXIT STATUS
       The exit status is the exit status of the executed command, or 1 if linux-user-chroot failed  to  execute
       the command.


EXAMPLE
       To build software in the real system, but without networking:

              linux-user-chroot --unshare-net --chdir "$(pwd)"
              make clean all check


SEE ALSO
       chroot(8).

                                                                                            LINUX-USER-CHROOT(8)