[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Eric W. Biederman ebiederm at xmission.com
Fri Feb 22 16:34:32 UTC 2013


Glauber Costa <glommer at parallels.com> writes:

> On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
>> 
>> The kernel support for user namespaces allows ordinary users to use
>> multiple uids and gids if they can get a trusted program to tell the
>> kernel the set of subordinate uids and gids they are allowed to use.
>> 
>> This is my work to make that trusted program.
>> Two new files are added /etc/subuid /etc/subgid that specify
>> ranges of uids and gids that users may uses.
>> 
>> useradd, and newusers are modifed to add users to those files.
>> 
>> userdel is modeifed to remove users from those files.
>> 
>> usermod is modified to give manual control of what goes in those files.
>> 
>> newuidmap and newgidmap read the new files and update
>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>> as requested by their command line parameters and as allowed
>> by the /etc/subuid and /etc/subgid.
>> 
>> The following patches are against the current developent trunk
>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
>> these patches also apply to shadow 4.1.5.
>> 
>> Eric W. Biederman (11):
>>       Documentation for /etc/subuid and /etc/subgid
>>       login.defs.5: Document the new variables in login.defs
>>       Implement commonio_append.
>>       Add backend support for suboridnate uids and gids
>>       Implement find_new_sub_uids find_new_sub_gids
>>       userdel: Add support for removing subordinate user and group ids.
>>       useradd: Add support for subordinate user identifiers
>>       Add support for detecting busy subordinate user ids
>>       usermod: Add support for subordinate uids and gids.
>>       newusers: Add support for assiging subordinate uids and gids.
>>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>
> Hi,
>
> Is there any intention to merge this (or any later version thereof) ?
> I intend to start excluding uid ranges for containers usage in OpenVZ,
> and support for that in tooling would come in handy.

I don't know what the state of the main pkg-shadow package is.  I have
heard anything and the repository seems to have been dormant since the
last release almost a year ago.

However the last I heard Serge was working on getting these changes into
Ubuntu.

So the intention is to get this code merged but I don't know what more
needs to be done at this point.

Eric






More information about the Pkg-shadow-devel mailing list