From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6478179128234213376 X-Received: by 10.46.101.142 with SMTP id e14mr199021ljf.1.1508331167976; Wed, 18 Oct 2017 05:52:47 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 10.46.29.70 with SMTP id d67ls65787ljd.4.gmail; Wed, 18 Oct 2017 05:52:47 -0700 (PDT) X-Google-Smtp-Source: ABhQp+QLlM0vrhckCcAK4+ll7RlRXfjRX7q5W98qwUqdAxG6iMsnRg84DCSiC1XhZ8BmZDXfl42q X-Received: by 10.25.26.147 with SMTP id a141mr476267lfa.30.1508331167705; Wed, 18 Oct 2017 05:52:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508331167; cv=none; d=google.com; s=arc-20160816; b=RmLPVFxUyX2db2DGq6D/+eIplyhOnrfSVEOHDJv4lj5FT9+RKyI+3mfSChjU5f74gn nCONdajOCs9Nj0GDRhG64zTZ0ZygZV0J4MsIPJV7CXtC/QiPUhGUeOZntSJgiTB9aX3M CH+1/THTOKsQ5nhLTaRvmqoKMjSrepf96Ged/JtRz5SZEP0A76WrZrrglviQ/JQ4SYn2 YF6a1cwBLIJ3KVO2NrZHwT39v8GyNXWsbDeKu375yRDPYL76omMSW+KDfr64kwPtRrVC rTkE7MK6Oe4KeUj3pZmGIww+pDCDFw+cjaun5xa1QPKZBvjIMIi+U37H8+jVjEZb/APG 0/Sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :arc-authentication-results; bh=5B1or12KnoHBaWT1lnoGW7aPUKwHK+U1vJg2983qSlo=; b=w/AojJgOC2kqm5DeY3jCcPM4babTUimfvWAfgStOgiVaxcCtwYmDksfN4XMF09//Pa gXYb7Yb8bhysYb+Uai0SupRB1tQRfkpTNwRrz+KSY272atHFfr57KujF8GU5BIum4Cyf Yb8Tet8Bs2/9yr5qbOyER9T/egPX6nWpuh9SxGYNjIUFsFs3bznrHfV7Oy2ycVVGrsR7 nSmW3nPnDP7eT9NhTWYs3GLGCW3nOz7mvYl6oz67AeXfp7Rxs3gMnTWIHrxj326eKRuP ezlbnw0ZQI7RN8iKGOCvFKoQxgSF4CqFra2uclPA/OT6Vmkg0PUYXmpqjNlF65/cSNMK gJIA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id r73si429931lfr.4.2017.10.18.05.52.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Oct 2017 05:52:47 -0700 (PDT) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id v9ICqklq000507 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 18 Oct 2017 14:52:46 +0200 Received: from [139.25.68.223] (linux-ses-ext02.ppmd.siemens.net [139.25.68.223]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id v9ICqkgu028707; Wed, 18 Oct 2017 14:52:46 +0200 Subject: Re: Isar fork To: Ben Brenson , isar-users References: <8fe13268-9bfa-4b24-897a-133c9530c188@googlegroups.com> <3ad4ed89-de76-9a07-c2f5-3abea0583f68@siemens.com> <0eeda167-efa1-4eaf-ade5-8d43d09f2c8a@googlegroups.com> From: Claudius Heine Message-ID: <6b3eb259-b278-3b9d-c375-cca6cc0359a3@siemens.com> Date: Wed, 18 Oct 2017 14:52:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <0eeda167-efa1-4eaf-ade5-8d43d09f2c8a@googlegroups.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: QmisLPoIh0HE Hi, On 10/18/2017 02:11 PM, 'Ben Brenson' via isar-users wrote: > Hi Claudius, > > I see that you are using schroot. How is your progress on 'sudo' removal? >> > > schroot itself, doesn't solve the 'sudo' problem, but it's very useful for > running common tasks when setting up a chroot, like mounting filesystems, > setting up binfmt etc. > So basically it extends the chroot command itself. I don't now much about schroot, just assumed some stuff when quickly investigating it. From the manpage: A chroot may be used directly as root by running chroot(8), but normal users are not able to use this command. schroot allows access to chroots for normal users using the same mechanism, but with several additional features. From that I assumed that it takes care about normal users getting root users inside the new root path. > > I haven't heard of schroot before, but from what I gather it needs a >> privileged service to run in the background. >> > > I've never heard about or noticed that schroot needs a privileged service > running in the background. Maybe I have to check this. I am not sure about it, but when I installed it, this popped up: Setting up schroot (1.6.10-4) ... Created symlink /etc/systemd/system/multi-user.target.wants/schroot.service → /lib/systemd/system/schroot.service. So I assumed is uses this service for privileged stuff. > The main cause for introducing the schroot feature, was to have a already > implemented framework, when setting up chroots (mostly related to setting > up mounts). > Since a lot of chroot tasks running in parallel, if searched for a reliable > chroot extension. I only had some experience using proot which uses the ptrace syscall to put itself between the running application and the kernel. While its a pretty nice an isolated solutions, it also has some downsides to it. > > What are your experience with it? Could it be used for all parts that >> currently require root privileges? Have you tried it inside a docker >> container? >> > > That is what I think the docker container is for solving the 'sudo' problem. > Running schroot inside a docker container is now problems and behaves > exactly the same, like running it without schroot. Root privileges inside a Docker container are sadly not a good enough security mechanism, because you would have to grant the container the sys_admin capabilities for loop mount and now its able to potentially overwrite disk content or access the complete host memory. And since you might use layers from not completely trusted developers it should be made reasonable secure. Cheers, Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de