[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Glauber Costa
glommer at parallels.com
Fri Feb 22 17:09:43 UTC 2013
On 02/22/2013 08:34 PM, Eric W. Biederman wrote:
> Glauber Costa <glommer at parallels.com> writes:
>
>> On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
>>>
>>> The kernel support for user namespaces allows ordinary users to use
>>> multiple uids and gids if they can get a trusted program to tell the
>>> kernel the set of subordinate uids and gids they are allowed to use.
>>>
>>> This is my work to make that trusted program.
>>> Two new files are added /etc/subuid /etc/subgid that specify
>>> ranges of uids and gids that users may uses.
>>>
>>> useradd, and newusers are modifed to add users to those files.
>>>
>>> userdel is modeifed to remove users from those files.
>>>
>>> usermod is modified to give manual control of what goes in those files.
>>>
>>> newuidmap and newgidmap read the new files and update
>>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>>> as requested by their command line parameters and as allowed
>>> by the /etc/subuid and /etc/subgid.
>>>
>>> The following patches are against the current developent trunk
>>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am
>>> these patches also apply to shadow 4.1.5.
>>>
>>> Eric W. Biederman (11):
>>> Documentation for /etc/subuid and /etc/subgid
>>> login.defs.5: Document the new variables in login.defs
>>> Implement commonio_append.
>>> Add backend support for suboridnate uids and gids
>>> Implement find_new_sub_uids find_new_sub_gids
>>> userdel: Add support for removing subordinate user and group ids.
>>> useradd: Add support for subordinate user identifiers
>>> Add support for detecting busy subordinate user ids
>>> usermod: Add support for subordinate uids and gids.
>>> newusers: Add support for assiging subordinate uids and gids.
>>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>>
>> Hi,
>>
>> Is there any intention to merge this (or any later version thereof) ?
>> I intend to start excluding uid ranges for containers usage in OpenVZ,
>> and support for that in tooling would come in handy.
>
> I don't know what the state of the main pkg-shadow package is. I have
> heard anything and the repository seems to have been dormant since the
> last release almost a year ago.
>
> However the last I heard Serge was working on getting these changes into
> Ubuntu.
>
> So the intention is to get this code merged but I don't know what more
> needs to be done at this point.
>
I understand, this was more a question for the package maintainers.
It would be interesting for us to have those changes more widely
available than just @Ubuntu
More information about the Pkg-shadow-devel
mailing list