[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Eric W. Biederman
ebiederm at xmission.com
Fri Feb 22 16:34:32 UTC 2013
Glauber Costa <glommer at parallels.com> writes:
> On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
>>
>> The kernel support for user namespaces allows ordinary users to use
>> multiple uids and gids if they can get a trusted program to tell the
>> kernel the set of subordinate uids and gids they are allowed to use.
>>
>> This is my work to make that trusted program.
>> Two new files are added /etc/subuid /etc/subgid that specify
>> ranges of uids and gids that users may uses.
>>
>> useradd, and newusers are modifed to add users to those files.
>>
>> userdel is modeifed to remove users from those files.
>>
>> usermod is modified to give manual control of what goes in those files.
>>
>> newuidmap and newgidmap read the new files and update
>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>> as requested by their command line parameters and as allowed
>> by the /etc/subuid and /etc/subgid.
>>
>> The following patches are against the current developent trunk
>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am
>> these patches also apply to shadow 4.1.5.
>>
>> Eric W. Biederman (11):
>> Documentation for /etc/subuid and /etc/subgid
>> login.defs.5: Document the new variables in login.defs
>> Implement commonio_append.
>> Add backend support for suboridnate uids and gids
>> Implement find_new_sub_uids find_new_sub_gids
>> userdel: Add support for removing subordinate user and group ids.
>> useradd: Add support for subordinate user identifiers
>> Add support for detecting busy subordinate user ids
>> usermod: Add support for subordinate uids and gids.
>> newusers: Add support for assiging subordinate uids and gids.
>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>
> Hi,
>
> Is there any intention to merge this (or any later version thereof) ?
> I intend to start excluding uid ranges for containers usage in OpenVZ,
> and support for that in tooling would come in handy.
I don't know what the state of the main pkg-shadow package is. I have
heard anything and the repository seems to have been dormant since the
last release almost a year ago.
However the last I heard Serge was working on getting these changes into
Ubuntu.
So the intention is to get this code merged but I don't know what more
needs to be done at this point.
Eric
More information about the Pkg-shadow-devel
mailing list