Mr. Junjiro Okajima, Your script auroot "A sample script to build a chroot-ed/jail environment for Internet service" has inspired me to write the script bldchraufs. The script build a chroot environment based on AUFS. This environment opens a way to run a desktop session like GNOME Desktop in a jail. In this jail I can play around without damaging the installed GNOME Desktop.
The idea having an environment that can execute the whole operation system in a secure shell, is very excited. An secure environment gives an ordinary user like me the ability to do things with the operation system he wouldn't never do. This idea - not my script - is the reason why I wrote this letter. Perhaps You could write something like the script bldchraufs and put it in Your example collection. I think, it's worth to show the user this ability of AUFS. This gives the Linux user a tool to freely invastigate his system. For me it's some- thing like the live CD that Mr. Knopper gave the community. It's a step further to democratize the information technolgy. The attached script bldchraufs is very simple and more a base to give non IT gurus hints how to build the on AUFS based chroot environment. The script is very extensive commented. The comments should give the user enough information how the script build the environment and how he can use the created environ- ment. A other reason for the extensive commenting is my forgetfulness. The comments helps me to pick up the thread after some weeks. I will thank You for, if You could take a look at the script. I have a question concerning the last lines of the script. In this lines the mount command binds the devices /dev, /dev/pts and /dev/shm into the matched directories of the union under /tmp/jail/. In this configuration the devices aren't a part of a branch. Is this an acceptable mount? Should I create a read only and a write branch for the above devices and mount the branches under an union? My next question concerns the option bind of the mount command. In Your example script auroot You use the bind option to create aliases for devices, that You put into the read only branches. In addition to the option bind You use the option ro as argument in the calls of the mount command. According the manual page of mount the bind option use no further options. Do You use the ro option as a kind of a marker? According the manual page the ro has no meaning but in the output of the mount command, that was called without any argument, the ro option is displayed. I ask, because I copied a file into the read only branch - the bind of a system device like /usr - and got no error message. The file was stored. At first glance I was a little bit puzzled, but I think, You can't change the access writes of a device during a bind mount. The bind of a device is an alias - a other name for the same thing. The properties of a bound device are the same as the properties of the mounted device. Is this right? In the chroot environment the kind of the binding makes no problem, because the system doesn't see the origin of the bind. I would be glad, if You have enough time to answer my questions. Regards, Robert Wotzlaw Attachments: 1. Chroot build script bldchraufs 2. HAL init script hal.new ___________________________________________________________ GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! Jetzt freischalten unter http://movieflat.web.de
email-attachment-01.tar.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
