[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: staying in stable but compiling for sid

Hi,

Romain Beauxis <toots@rastageeks.org> wrote:

> Well, if it's only meant for using the application in your current X server,
> you simply have to bind mount the /tmp directory in the chroot:
> mount -t none -o bind /tmp /path/to/chroot/tmp
>
> I think it's enough to get the chroot to use the X server with UNIX sockets..
>
> Of course if you don't have the same users in the chroot, you may also
> xhost +
> to allow other users.. 
> Et voila !

Even with the same user, it's not enough. You need to import the
MIT-MAGIC-COOKIES in the chroot if you want to avoid the 'xhost +'
security hole.

The advantage of this solution is that it's probably faster than TCP
connections to localhost. The main disadvantage is that /tmp isn't
anymore isolated in the chroot. Programs in the chroot are fiddling with
your normal /tmp. To avoid that, it's problably enough to mount --bind
only /tmp/.X11-unix, instead of the whole /tmp. I didn't try it, though.

-- 
Florent
Reply to: