If the attacker can control newroot/etc/passwd they _still_ get getpwnam to return whatever userid they want. The solution is to not lookup --userspec=username:group inside the chrooted-space, but from outside.

Also, hi how's things? :)

hi! good, how are you doing?

great. still enjoying the algarve working on my secret projects in the sun.

you able to find a reason to come visit? or am i going to have to come to blighty so we can hang out?