On Fri, Jun 01, 2012 at 07:57:31PM +0200, SZABO Zsolt wrote: > On lenny I used to begin a chroot-session at boot (as root) and than > the normal user "attach" to this session to run the programs in the session: > user:$ schroot -r -c started_chroot_session -p > > I used this method instead "schroot -c chroot_session -p" thus the symlinks > are created only once even when attaching not only one user but 10 or more > at the same time. > > However, this does not work on squeezy: I always get the message > "Access not authorized". A line is also written in the auth.log: > schroot: user -> user Unathorized > > Possibly it is a pam related situation (feature or bug, I do not know..), > however, I do not know either how to solve or get back the original way of > operation.
This is due to a change in behaviour to make schroot more secure. When you create a session, only the user creating the session is granted access: % schroot -V schroot (Debian sbuild) 1.5.4 (29 May 2012) ... (This is the current version in testing/unstable. It's slightly different to the squeeze version in that the example below uses namespaces, but the permissions checking is the same.) # schroot -b -n testg -c unstable-amd64-sbuild testg # schroot -r -c testg -d / -- ls bin build etc lib media opt root sbin srv tmp var boot dev home lib64 mnt proc run selinux sys usr % schroot -i -c chroot:unstable-amd64-sbuild ─── Chroot ─── Name sid-amd64-sbuild Users Groups root sbuild Root Users Root Groups root sbuild ... Source Users Source Groups root sbuild Source Root Users Source Root Groups root sbuild % schroot -i -c session:testg ─── Session ─── Name testg Users Groups Root Users root Root Groups .... So you can see that in this case, because root created the session, only root is in the root user list in the session; all the other users and groups were removed. This is secure, but it's also restrictive, as you've found. I'd like to allow the chroot owner to have some way to grant other users/groups permission to use it. We just need a sensible way to do this by e.g. adding a command-line option to specify this. We might be able to use the new --option option for this. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
