man schroot (Commandes) - securely enter a chroot environment
NAME
schroot - securely enter a chroot environment
SYNOPSIS
schroot [OPTION]... [COMMAND]
DESCRIPTION
schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user's current working directory inside the chroot.
If the user is not a member of the allowed groups (or if changing to root, the allowed root groups) for the specified chroot(s), the user will be required to authenticate themselves (typically with a password, but this depends upon the PAM configuration). All chroot usage will be logged in the system logs.
If no chroot is specified, the chroot name or alias default will be used as a fallback. This is equivalent to [lq]--chroot=default[rq].
OPTIONS
schroot accepts the following options:
Basic options
- -h, --help
- Show help summary.
- -a, --all
- Select all chroots and active sessions. When a command has been specified, the command will be run in all chroots and active sessions. If --info has been used, display information about all chroots. This option does not make sense to use with a login shell (when no command has been specified). This option is equivalent to --all-chroots --all-sessions.
- --all-chroots
- Select all chroots. Identical to --all, but active sessions are not considered.
- --all-sessions
- Select all active sessions. Identical to --all, but chroots are not considered.
- -c, --chroot=chroot
- Specify a chroot to use. This option may be used multiple times to specify more than one chroot, in which case its effect is similar to --all.
- -u, --user=user
- Run as a different user. The default is to run as the current user. If required, the user may be required to authenticate themselves with a password.
- -l, --list
- List all available chroots.
- -i, --info
- Print detailed information about the specified chroots.
- --location
- Print location (path) of the specified chroots. Note that chroot types which can only be used within a session will not have a location until they are active.
- --config
- Print configuration of the specified chroots. This is useful for testing that the configuration in use is the same as the configuration file. Any comments in the original file will be missing.
- -p, --preserve-environment
- Preserve the user's environment inside the chroot environment. The default is to use a clean environment; this option copies the entire user environment and sets it in the session. The environment variables allowed are subject to certain restrictions; see the section [lq]Environment[rq], below.
- -q, --quiet
- Print only essential messages.
- -v, --verbose
- Print all messages.
- -V, --version
- Print version information.
Session options
- -b, --begin-session
- Begin a session. A unique session identifier (UUID) is returned on standard output. The UUID is required to use the other session options.
- --recover-session
- -e, --end-session=UUID
- End an existing session.
- -f, --force
- Force a session operation, even if it would otherwise fail. This may be used to forcibly end a session, even if it has active users. This does not guarantee that the session will be ended cleanly; filesystems may not be unmounted, for example.
EXAMPLES
CR]$ CB]schroot -l
CR]default
CR]etch
CR]sid
CR]testing
CR]unstable
CR]
CR]$ CB]schroot -i -c sid
CR]Name: sid
CR]Description: Debian unstable
CR]Location: /srv/chroot/sid
CR]Priority: 3
CR]Groups: sbuild
CR]Root Groups: root
CR]Aliases: unstable default
Use --all or -c multiple times to use all or multiple chroots, respectively.
CR]$ CB]schroot -c sid /bin/ls
CR][sid chroot] Running command: [lq]/bin/ls[rq]
CR]CVS sbuild-chroot.c sbuild-session.h schroot.conf.5
CR]Makefile sbuild-chroot.h schroot.1 schroot.conf.5.in
CR]Makefile.am sbuild-config.c schroot.1.in
CR]Makefile.in sbuild-config.h schroot.c
CR]pam sbuild-session.c schroot.conf
CR]$ CB]schroot -c sid -- ls -1 | head -n 5
CR][sid chroot] Running command: [lq]ls -1[rq]
CR]ABOUT-NLS
CR]AUTHORS
CR]COPYING
CR]ChangeLog
CR]INSTALL
Use -- to allow options beginning with [oq]-[cq] or [oq]--[cq] in the command to run in the chroot. This prevents them being interpreted as options for schroot itself. Note that the top line was echoed to standard error, and the remaining lines to standard output. This is intentional, so that program output from commands run in the chroot may be piped and redirected as required; the data will be the same as if the command was run directly on the host system.
CR]$ CB]schroot -c sid -u root
CR]Password:
CR][sid chroot] (rleigh[->]root) Running login shell: [lq]/bin/bash[rq]
CR]#
If the user [lq]rleigh[rq] was in root-groups in schroot.conf, they would be granted root access without authentication, but the PAM authorisation step is still applied.
BUGS
None known at this time.
ENVIRONMENT
By default, the environment is not preserved, and the following environment variables are defined: HOME, LOGNAME, PATH, SHELL, TERM (preserved if already defined), and USER.
The following, potentially dangerous, environment variables are always removed for safety: BASH_ENV, CDPATH, ENV, HOSTALIASES, IFS, KRB5_CONFIG, KRBCONFDIR, KRBTKFILE, KRB_CONF, LD_.*, LOCALDOMAIN, NLSPATH, PATH_LOCALE, RES_OPTIONS, TERMINFO, TERMINFO_DIRS, and TERMPATH.
FILES
- /etc/schroot/schroot.conf
- The system-wide chroot definition file. This file must be owned by the root user, and not be writable by other.
- /etc/schroot/setup.d
- /etc/schroot/exec.d
- The system-wide chroot setup and execution directories. See schroot-setup(5).
- /etc/pam.d/schroot
- PAM configuration.
AUTHORS
Roger Leigh.
COPYRIGHT
Copyright © 2005-2006 Roger Leigh <rleigh@debian.org>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
SEE ALSO
dchroot(1), sbuild(1), chroot(2), schroot-setup(5), schroot.conf(5).