I want to know how to prepare (before issuing the chroot command) directory links out of a chroot environment.

I have done a bunch of reading, but not yet experimenting, about chroot.

I mostly understand its main purpose of creating an environment in which it is safer to run untrusted software. But I want to use it for some other things, involving trusted software.

I want to create a directory tree in which the various top level directories are links to various directories in the main directory tree. For example, when running on a Debian based 64 bit system (where /lib has 64 bit .so files) I might want to create a root in which /lib links to the directory containing 32 bit .so files (same as /lib32 normally links to).

IIUC, chroot blocks soft links from getting outside. So I could create a directory containing lib as the desired soft link, but if I did chroot to that directory, the link would no longer point where I wanted. Is that correct?

IIUC, I can't do a hard link to a directory. Is that correct?

How would you create a directory link that would point out of a chroot "jail"? (Yes I do understand that is contrary to the common purpose for a chroot).

From reading, again not yet experimenting, I think mounting an aufs might do it. It looks like aufs might be used to mount a directory into another directory. Is that correct? Am I missing some easier way to mount a directory into a directory? Would such an aufs mount link out of the chroot? Or suffer the same fate as a soft link?

You can not create links to outside a jail from within a jail. The whole point in chroot is that the user or process that is jailed sees the directory path you specified as if it is "/" (root). In UNIX/Linux there is nothing above root in the filesystem heirarchy so you can't link to anything above it from within the jail as there ISN'T anything above it from its perspective.

You can however make links FROM outside to within a jail. That is to say sometimes one has a process they want users to login to but jail them so that no matter what they do they can't get outside the jail. This however does not prevent users already on the system (e.g. root) via conventional logins or processes from accessing the root.

So for example you might setup a path /root/jails/billybob and setup user, billybob, so that when he logs in he is using that in a chroot jail fashion and put files in it. So if you were to create /root/jails/billybob/bin then put in say the cp command there then as root user logged into the system you would see that file as /root/jails/billybob/bin/cp. When billybob logs in though he'll see it simply as /bin/cp. He won't know that he is in /root/jails/billybob at all.

As the root user you could make a directory in /root/jails/billybob called transfers then you could make a link called say /mysql/transferfiles to /root/jails/billybob/transfers with:
ln -s /root/jails/billybob/transfers /mysql/transferfiles
You could then allow processes on the server to write to or read from /mysql/transferfiles and billybob on login to the jail would see those files as if they were in /transfers. Note that in this scenario /mysql/transferfiles is the symbolic link.

You can NOT however make the the opposite work:
ln -s /mysql/transferfiles /root/jails/billybob/transfers
That is because even though the chroot'ed user, billybob, will see the symbolic link as /transfers pointing to /mysql/transferfiles he won't see /mysql directory so the link won't be pointing to anything from his perspective.

Thankyou for confirming my understanding that I can't do what I want using soft links.

Any comment on the important parts of my question? Other methods getting the desired effect? AUFS or other ways of mounting a directory into a directory (maybe NFS)?

Haven't worked with aufs or unionfs it mentions but on a quick perusal of those pages it appears they might do what you want.

Once you created your filesystem with the directories you want you'd probably still want to chroot yourself to that. If the filesystem exists BEFORE the chroot then the user/process isn't "linking" but rather using something that is "local" within the filesystem. Since I haven't done this I can't be sure but it seems a reasonable supposition.

You might want to post a new thread specifically asking about aufs/unionfs to see if anyone that knows them can give better guidance.