#675512 schroot: running an existing session as a user other than whom the session begun

Package:
schroot
Source:
schroot
Description:
Execute commands in a chroot environment
Submitter:
SZABO Zsolt
Date:
2013-12-20 10:51:14 UTC
Severity:
wishlist
#675512#5
Date:
2012-06-01 17:57:31 UTC
From:
To:
On lenny I used to begin a chroot-session at boot (as root) and than
the normal user "attach" to this session to run the programs in the session:
user:$ schroot -r -c started_chroot_session -p

I used this method instead "schroot -c chroot_session -p" thus the symlinks
are created only once even when attaching not only one user but 10 or more
at the same time.

However, this does not work on squeezy: I always get the message
"Access not authorized". A line is also written in the auth.log:
schroot: user -> user Unathorized

Possibly it is a pam related situation (feature or bug, I do not know..),
however, I do not know either how to solve or get back the original way of
operation.

TIA,
Zsolt
#675512#10
Date:
2012-06-01 18:48:30 UTC
From:
To:
This is due to a change in behaviour to make schroot more secure.
When you create a session, only the user creating the session is
granted access:

% schroot -V
schroot (Debian sbuild) 1.5.4 (29 May 2012)
...

(This is the current version in testing/unstable.  It's slightly
different to the squeeze version in that the example below uses
namespaces, but the permissions checking is the same.)

# schroot -b -n testg -c unstable-amd64-sbuild
testg

# schroot -r -c testg -d / -- ls
bin   build  etc   lib	  media  opt   root  sbin     srv  tmp	var
boot  dev    home  lib64  mnt	 proc  run   selinux  sys  usr

% schroot -i -c chroot:unstable-amd64-sbuild
  ─── Chroot ───
  Name                      sid-amd64-sbuild
  Users
  Groups                    root sbuild
  Root Users
  Root Groups               root sbuild
...
  Source Users
  Source Groups             root sbuild
  Source Root Users
  Source Root Groups        root sbuild


% schroot -i -c session:testg
  ─── Session ───
  Name                   testg
  Users
  Groups
  Root Users             root
  Root Groups
....

So you can see that in this case, because root created the session,
only root is in the root user list in the session; all the other
users and groups were removed.

This is secure, but it's also restrictive, as you've found.  I'd like
to allow the chroot owner to have some way to grant other users/groups
permission to use it.  We just need a sensible way to do this by e.g.
adding a command-line option to specify this.  We might be able to use
the new --option option for this.


Regards,
Roger