start with chroot

wilber:~# ls --version
ls (coreutils) 5.2.1
Written by Richard Stallman and David MacKenzie.

Copyright (C) 2004 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

wilber:~# chroot /vservers/woody /bin/ls --version
ls (fileutils) 4.1
Written by Richard Stallman and David MacKenzie.

Copyright (C) 2001 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
wilber:~# 

• close chroot(1m) POSIX loophole

wilber:~# /usr/lib/util-vserver/capchroot --help
Usage:  capchroot --nochroot [--suid <user>] [--] <directory> <command> <args>*

Options:
    --nochroot     ... remove the CAP_SYS_CHROOT capability
                       after the chroot system call.
    --suid <user>  ... switch to a different user (in the vserver
                       context) before executing the command.

Please report bugs to enrico.scholz@informatik.tu-chemnitz.de