--- /dev/null
+#! /bin/sh -e
+###
+### Make build trees private to the invoking group
+###
+### (c) 2018 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This file is part of the distorted.org.uk chroot maintenance tools.
+###
+### distorted-chroot is free software: you can redistribute it and/or
+### modify it under the terms of the GNU General Public License as
+### published by the Free Software Foundation; either version 2 of the
+### License, or (at your option) any later version.
+###
+### distorted-chroot is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+### General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with distorted-chroot. If not, write to the Free Software
+### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+### USA.
+
+### Make a build tree private to the invoking user. Also, make a `/private'
+### directory in the chroot which is exclusive to the creating user.
+
+## Make sure everything is good.
+case $1 in setup-start) ;; *) exit 0 ;; esac
+case $CHROOT_SESSION_PURGE in true) ;; *) exit 0 ;; esac
+case $CHROOT_PROFILE in sbuild | scratchbox) ;; *) exit 0 ;; esac
+case $CHROOT_TYPE in *-snapshot) ;; *) exit 0 ;; esac
+case $CHROOT_MOUNT_LOCATION in
+ "" | /) echo >&2 "$0: not clobbering root dir"; exit 127 ;;
+esac
+
+## Make the directory private to the invoking user's group. This is a
+## somewhat troublesome compromise between keeping the chroot tree private
+## from other system users on the one hand, and maintaining system security
+## on the other.
+##
+## This assumes that the device root directory's permissions are already
+## restricted to privileged users only.
+cd $CHROOT_MOUNT_LOCATION
+chown root:$AUTH_RGROUP .
+chmod 750 .
+
+## Make an actually-private place for temporary things to be stored.
+mkdir -p $CHROOT_PATH/private
+mount -ttmpfs -omode=700,uid=$AUTH_RUID,gid=$AUTH_RGID \
+ private $CHROOT_PATH/private