On 5 May 2015 at 17:34, Eirik Schwenke <[email protected]> wrote:
> On 3 May 2015 06:07:51 CEST, Anders Ingemann <[email protected]> wrote: > >On 3 May 2015 at 04:43, Eirik Schwenke <[email protected]> > >wrote: > >>are any plans to make it more usable as a regular user? > >> > >I don't see how. Mounting loopback devices or any other devices for > >that > >matter, requires root privileges. > >Even if one were to just bootstrap to a directory, you'd still need to > >be > >able to change things in the chroot as uid 0, which you can only do as > >root. > >I am all ears regarding suggestions on how to circumvent that of > >course, > >but AFAIK this is not really possible. > > I should have been a little more clear: > > 1) Is there any interest in making bootstrap-vz more suitable to use as a > regular user? (Clearly yes, if possible) > > 2) As bootstrap-vz supports many different image/disk/archive-formats - > are things that require root (eg mounting of a loopback device, changing > permissions to uid 0 on a mounted filesystem) currently isolated/factored > out? > > I might prefer running as few codesections under sudo (even if python asks > for elevated privileges as needed) - rather than just everything as root. I > don't mind (much) trusting bootstrap-vz itself with root, but history shows > that zip etc probably shouldn't be trusted (if it can be helped). Also I'd > rather not grab things from the net as root if I don't have to. (Note to > self: apt probably does this? Or is there an "apt" user?). > > 3) While it is probably possible in principle to make eg: tgz-based images > with very few privileges - that does not mean it is easy (if we want to run > regular installers or something close to that) - maybe it'd be possible to > leverage fuse for some of this (accessing filesystems on a disk image)? > > Changing things to uid 0 in a tar archive obviously does not need root - > but a work around might require way too much code. I see the appeal in > building the fs in a similar manner for multiple targets. > > > But, writing all this, and thinking about. I think: > > a) For bootstrap-vz, possibly wrapping code that needs root in a call-out > to sudo (this should among other things make it easy to log what is done as > root ("sudo mount -o loop,uid=x ...") in syslog (in addition to any logging > by bootstrap-vz) should probably be enough. > > b) If one really wants to build disk-images as a "normal" user, qemu (w/a > pre-seeded installer) is probably the only sane choice :) > > Thanks for the replies, and sorry for the noise: I always get a bit > worried when people expect me to run a large code-base as root. And having > played with getting tls to work properly with python and smtp recently, I'm > not thrilled by letting that stack loose on my filesystem and the Internet > as root. > > > Best regards, > > Eirik Schwenke > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: > https://lists.debian.org/[email protected] > > Hello Is there any interest in making bootstrap-vz more suitable to use as a > regular user? (Clearly yes, if possible) > I am not quite sure I follow. bootstrap-vz is made for sysadmins who have some fair knowledge of how Debian works, could you explain what you mean by regular user? I might prefer running as few codesections under sudo > Funny you should say that. About 6 months ago I was thinking about the same thing, the best way to do this would be to launch bootstrap-vz as root, but immediately suid to some other user and the only go back when needed. I think using sudo directly might become a little messy and non-pythonic. Anders
