[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Serge E. Hallyn serge at hallyn.com
Tue Aug 6 14:54:03 UTC 2013


Quoting Serge Hallyn (serge at hallyn.com):
> ebiederm at xmission.com wrote:
> 
> >Christian PERRIER <bubulle at debian.org> writes:
> >
> >> Quoting Eric W. Biederman (ebiederm at xmission.com):
> >>> 
> >>> The kernel support for user namespaces allows ordinary users to use
> >>> multiple uids and gids if they can get a trusted program to tell the
> >>> kernel the set of subordinate uids and gids they are allowed to use.
> >>> 
> >>> This is my work to make that trusted program.
> >>> Two new files are added /etc/subuid /etc/subgid that specify
> >>> ranges of uids and gids that users may uses.
> >>> 
> >>> useradd, and newusers are modifed to add users to those files.
> >>> 
> >>> userdel is modeifed to remove users from those files.
> >>> 
> >>> usermod is modified to give manual control of what goes in those
> >files.
> >>> 
> >>> newuidmap and newgidmap read the new files and update
> >>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
> >>> as requested by their command line parameters and as allowed
> >>> by the /etc/subuid and /etc/subgid.
> >>> 
> >>> The following patches are against the current developent trunk
> >>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
> >>> these patches also apply to shadow 4.1.5.
> >>> 
> >>> Eric W. Biederman (11):
> >>>       Documentation for /etc/subuid and /etc/subgid
> >>>       login.defs.5: Document the new variables in login.defs
> >>>       Implement commonio_append.
> >>>       Add backend support for suboridnate uids and gids
> >>>       Implement find_new_sub_uids find_new_sub_gids
> >>>       userdel: Add support for removing subordinate user and group
> >ids.
> >>>       useradd: Add support for subordinate user identifiers
> >>>       Add support for detecting busy subordinate user ids
> >>>       usermod: Add support for subordinate uids and gids.
> >>>       newusers: Add support for assiging subordinate uids and gids.
> >>>       newuidmap,newgidmap: New suid helpers for using subordinate
> >uids and gids
> >>> ---
> >>
> >> OK, now we're ready for this.
> >>
> >> Eric, I have no skills to decide whether your patches can be included
> >> or not. My proposal is to go ahead and include them in the upcomign
> >> 4.2 release, that will be compiled and uploaded in Debian as soon as
> >> released, so that it gets extensive testing.
> >>
> >> We now have an "upstream" git repository at
> >>
> >>
> >> http://github.com/shadow-maint/shadow.git
> >>
> >> Would you mind pushing your set of patches there?
> >>
> >> That requires an account on github and include you in the project
> >> members (Serge Hallyn can do that).
> >>
> >> I would prefer this over committing/pushing myself.
> >>
> >> I really apologize for the too long delay working on this. We now
> >need
> >> to revive shadow's development.
> >
> >Understood.
> >
> >At this point Serge has taken over stewardship of those patches and has
> >a version with all of the known bug fixes applied that has been
> >reviewed
> >and included in Ubuntu.  So I expect the most responsible way is to
> >just
> >pull the branch with those changes that is in Ubuntu.
> >
> >Serge does that sound right?
> >
> >Eric
> 
> Sorry think I just sent a private reply.  To repeat, I can do this when I'm back at a kbd, maybe Friday, definately Monday.

I rebased and pushed the patchset yesterday.

thanks,
-serge



More information about the Pkg-shadow-devel mailing list