cancer: case study on web2.0

Chromium ran from a Devuan installation.

Installation steps

debootstrap in /opt/cancer/web2.0
chroot to /opt/cancer/web2.0
- apt-get install chromium
- apt-get install libasound2-plugins (needed for alsa sound output)
exit from chroot
copy /etc/passwd, /etc/group, /etc/shadow to /opt/cancer/web2.0 so the UIDs and GIDs have the same meaning within the "chroot"

create config file /etc/cancer/web2 as root:

-e debian_chroot web20
-m /opt/cancer/web2.0/usr /usr
-m /opt/cancer/web2.0/bin /bin
-m /opt/cancer/web2.0/sbin /sbin
-m /opt/cancer/web2.0/lib /lib
-m /opt/cancer/web2.0/lib64 /lib64
--
/usr/bin/chromium

as a plain user on the host system: /usr/sbin/cancer web2 --incognito

Remarks and explanation

Make sure the user running the final command has permissions to access the audio and video devices; on some systems this requires adding the user to specific groups.

After the above installation works, write a wrapper shell script, e.g. /usr/local/bin/chromium:

#!/bin/sh
exec /usr/sbin/cancer web2 "$@"

Chromium will open in the host system's X; with having such a wrapper script, the whole process feels local, as if chromium was installed on the host system.

Especially that /etc, /home and /tmp are shared. In case the difference between the host and the "chroot" is large, /etc will become incompatible and needs to be mounted too so that chromium uses the "chroot" installed etc. This can be done by adding this line in /etc/cancer/web2:

-m /opt/cancer/web2.0/etc /etc

This config hardwires running chromium; the user will not be able to use cancer's suid rights to run anything else from that environment. Alternatively:

the last line of the config can be removed so the user can specify the command to run (with full path, e.g. /usr/sbin/cancer web2 /bin/bash)
the last line can be replaced with /bin/bash to get a shell from which the user can start chromium normally

The line "-e debian_chroot web20" is useful in case the config lets the user have a shell instead of running chromium.