Re: Different Debian for different users

To: debian-user@lists.debian.org
Subject: Re: Different Debian for different users
From: Max Nikulin <manikulin@gmail.com>
Date: Mon, 28 Apr 2025 22:28:43 +0700
Message-id: <[🔎] vuo6rd$ftp$1@ciao.gmane.io>
In-reply-to: <[🔎] jwva580z9wc.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] jwv1ptf8znq.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 20250426031502.GS29371@wooledge.org> <[🔎] jwva580z9wc.fsf-monnier+gmane.linux.debian.user@gnu.org>

On 28/04/2025 20:40, Stefan Monnier wrote:

That's the kind of solution I was hoping someone has developed enough to
iron out those major security issues (e.g. letting GDM do the chroot
before it changes its UID to that of the user).

See RootDirectory in systemd.exec(5). It can be set for specific usersthrough user@<UID>.service.d drop-ins. Perhaps it would be necessary tocreate a .desktop file in /usr/share/xsessions/, I have no idea whichway GDM spawns session executable (e.g. using systemd-run equivalent ornot). RootDirectory affects processes started by pam_systemd and otherparts of systemd user session.

Likely a container is better than simple chroot, but I have no idea ifthere is a simple way to start whole user session inside a container.

Reply to:

Follow-Ups:
- Re: Different Debian for different users
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

References:
- Different Debian for different users
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: Different Debian for different users
  - From: Greg Wooledge <greg@wooledge.org>
- Re: Different Debian for different users
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

Prev by Date: Re: Not able to ping other pcs in LAN.
Next by Date: Re: Not able to ping other pcs in LAN.
Previous by thread: Re: Different Debian for different users
Next by thread: Re: Different Debian for different users
Index(es):
- Date
- Thread