1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Different Debian for different users

    From Stefan Monnier@21:1/5 to All on Sat Apr 26 04:00:01 2025
    The recent discussion around Xpra reminded me of something much more
    limited that I've often wanted:

    Is there some way to setup a machine such that one user can login into it
    and see a Debian stable system, while another user can log into it (in
    another vty) and get, say, a Debian sid system?

    I don't really want different VMs. I'm thinking more of a setup based
    on containers or even just chroot.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Wooledge@21:1/5 to Stefan Monnier on Sat Apr 26 05:20:01 2025
    On Fri, Apr 25, 2025 at 21:51:47 -0400, Stefan Monnier wrote:
    Is there some way to setup a machine such that one user can login into it
    and see a Debian stable system, while another user can log into it (in another vty) and get, say, a Debian sid system?

    I don't really want different VMs. I'm thinking more of a setup based
    on containers or even just chroot.

    The first way that I can think of is extremely hack-ish.

    Install stable normally, then install sid in a chroot using debootstrap.
    Add the desired user accounts to the sid system.

    Next, write a little C program that executes a command like

    chroot /sid /bin/su - getenv("LOGNAME")

    Compile it, and then install it somewhere with root ownership and the
    setuid bit enabled. **THIS WILL RENDER YOUR SYSTEM COMPLETELY INSECURE**.
    So don't put anything important on either part of this system.

    Finally, set the target user's shell (in the stable system) to the setuid program. Then, when they login, the setuid program will perform the
    chroot, dropping privileges and launching a PAM session as the target
    user inside the chroot.

    If there's some way to do a chroot equivalent as a regular user, without needing the setuid bit, then do that instead.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Sat Apr 26 06:20:01 2025
    How would you run both the Debian Stable and Debian Sid kernels at the same time without virtualization?

    I don't need the kernels to be different (in my experience, Debian
    stable works just fine with a Debian sid kernel, and the reverse is
    also true most of the time).


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Sat Apr 26 19:00:01 2025
    Is there some way to setup a machine such that one user can login into it
    and see a Debian stable system, while another user can log into it (in
    another vty) and get, say, a Debian sid system?
    I don't really want different VMs.
    Why don't you want to go down the VMs road?
    Just trying to understand your reasoning! :)

    Not necessarily opposed, but I'd like to keep the feeling that it's "one system" as much as possible, e.g. in terms of filesystems mounted, or
    when connecting a USB device, etc...

    The main issue is that some users want a system that doesn't change very
    often, while others want the latest updates of their tools.

    So ideally, users could choose which they get just like they can choose
    from the GDM login which DE they get.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to Stefan Monnier on Sat Apr 26 19:00:01 2025
    On Sat, Apr 26, 2025 at 12:53:24PM -0400, Stefan Monnier wrote:
    Is there some way to setup a machine such that one user can login into it >> and see a Debian stable system, while another user can log into it (in
    another vty) and get, say, a Debian sid system?
    I don't really want different VMs.
    Why don't you want to go down the VMs road?
    Just trying to understand your reasoning! :)

    Not necessarily opposed, but I'd like to keep the feeling that it's "one system" as much as possible, e.g. in terms of filesystems mounted, or
    when connecting a USB device, etc...

    The main issue is that some users want a system that doesn't change very often, while others want the latest updates of their tools.


    If you've got enough space: an underlying Debian OS and then several VMs
    under KVM and virt-manager

    At login, each user gets their "own" VM grown to full screen
    - maybe that may be done by login scripts.

    That's just my quick take on this. There may well be bettre systems
    rather than mixing stable and sid, for example.

    All the very best, as ever,

    Andy
    (amacater@debian.org)



    So ideally, users could choose which they get just like they can choose
    from the GDM login which DE they get.


    Stefan


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From l0f4r0@tuta.io@21:1/5 to All on Sun Apr 27 18:30:01 2025
    Hi Stefan,

    26 avr. 2025, 03:52 de monnier@iro.umontreal.ca:

    Is there some way to setup a machine such that one user can login into it
    and see a Debian stable system, while another user can log into it (in another vty) and get, say, a Debian sid system?

    When you say "while" you mean "at the same time"?

    Otherwise, maybe dual/multi-boot could be a solution?

    l0f4r0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Mon Apr 28 15:50:01 2025
    The first way that I can think of is extremely hack-ish.

    Install stable normally, then install sid in a chroot using debootstrap.
    Add the desired user accounts to the sid system.

    Next, write a little C program that executes a command like

    chroot /sid /bin/su - getenv("LOGNAME")

    Compile it, and then install it somewhere with root ownership and the
    setuid bit enabled. **THIS WILL RENDER YOUR SYSTEM COMPLETELY INSECURE**.
    So don't put anything important on either part of this system.

    🙂

    That's the kind of solution I was hoping someone has developed enough to
    iron out those major security issues (e.g. letting GDM do the chroot
    before it changes its UID to that of the user).

    Also, I have the impression that in the distant past (i.e. for TTY
    logins) there was a way to setup users such that they would be put into
    a chroot jail. It's probably my memory playing tricks on me, tho.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Tue Apr 29 17:00:01 2025
    That's the kind of solution I was hoping someone has developed enough to
    iron out those major security issues (e.g. letting GDM do the chroot
    before it changes its UID to that of the user).
    See RootDirectory in systemd.exec(5). It can be set for specific users through user@<UID>.service.d drop-ins. Perhaps it would be necessary to create a .desktop file in /usr/share/xsessions/, I have no idea which way
    GDM spawns session executable (e.g. using systemd-run equivalent or
    not). RootDirectory affects processes started by pam_systemd and other parts of systemd user session.

    Looks promising, thanks.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)