linux-user-chroot(8) - Linux man page
Name
linux-user-chroot - safely allow normal users to chrootSynopsis
linux-user-chroot [--unshare-ipc] [--unshare-pid] [--unshare-net] [--mount-proc DIR] [--mount-readonly DIR] [--mount-bind SOURCE DEST] [--chdir DIR] ROOTDIR PROGRAM ARGS...Description
linux-user-chroot works similary to chroot(8), but does not require the caller to have root privileges. It uses Linux containers to restrict the chroot to make this safe. The command run inside the chroot is run as the calling user, not as root.
linux-user-chroot executes a command, and sets the root directory for the command to the directory specified by the user (ROOTDIR). Additionally, it creates a "nosuid" bind mount over the root filesystem, to prevent the build from gaining privileges using setuid binaries. The command can further be restricted from accessing the network, and it can be set up with new process ID and SysV IPC namespaces.
Options
- --unshare-ipc
- Create a new SysV IPC namespace for the command.
- --unshare-pid
- Create a new process ID (PID) namespace for the command. This prevents the command from seeing any other processes in the system, except itself and the processes it itself creates.
- --unshare-net
- Create a new, empty networking stack. This prevents the command from using any networking, including loopback.
- --mount-proc DIR
- Mount the proc filesystem at DIR.
- --mount-readonly DIR
- Make DIR be read-only for the command.
- --mount-bind SOURCE DEST
- Add a bind mount while the command is executing.
- --chdir DIR
- After setting the new root directory for the command, change the current working directory to be DIR.