I read several articles that say one should avoid running processes as root in a chroot environment since it allows the process to escape.
But how should I do that? Chroot can only be evoked by root, so it is impossible to run a processes in a chroot environment without root privileges, isn't it?
Although you need to invoke chroot as root,
the chroot option --userspec=USER:GROUP will run the command under
the non-root UID/GID.
A more recent way to chroot without root-permissions is with
the unshare command
provided by mount namespaces.
For more information, see the post
How to run a command in a chroot jail not as root and without sudo?
