[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Mon Feb 25 14:38:43 UTC 2013

On 02/25/2013 06:34 PM, Serge Hallyn wrote:
> Quoting Glauber Costa (glommer at parallels.com):
>> On 02/22/2013 08:34 PM, Eric W. Biederman wrote:
>>> Glauber Costa <glommer at parallels.com> writes:
>>>
>>>> On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
>>>>>
>>>>> The kernel support for user namespaces allows ordinary users to use
>>>>> multiple uids and gids if they can get a trusted program to tell the
>>>>> kernel the set of subordinate uids and gids they are allowed to use.
>>>>>
>>>>> This is my work to make that trusted program.
>>>>> Two new files are added /etc/subuid /etc/subgid that specify
>>>>> ranges of uids and gids that users may uses.
>>>>>
>>>>> useradd, and newusers are modifed to add users to those files.
>>>>>
>>>>> userdel is modeifed to remove users from those files.
>>>>>
>>>>> usermod is modified to give manual control of what goes in those files.
>>>>>
>>>>> newuidmap and newgidmap read the new files and update
>>>>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>>>>> as requested by their command line parameters and as allowed
>>>>> by the /etc/subuid and /etc/subgid.
>>>>>
>>>>> The following patches are against the current developent trunk
>>>>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
>>>>> these patches also apply to shadow 4.1.5.
>>>>>
>>>>> Eric W. Biederman (11):
>>>>>       Documentation for /etc/subuid and /etc/subgid
>>>>>       login.defs.5: Document the new variables in login.defs
>>>>>       Implement commonio_append.
>>>>>       Add backend support for suboridnate uids and gids
>>>>>       Implement find_new_sub_uids find_new_sub_gids
>>>>>       userdel: Add support for removing subordinate user and group ids.
>>>>>       useradd: Add support for subordinate user identifiers
>>>>>       Add support for detecting busy subordinate user ids
>>>>>       usermod: Add support for subordinate uids and gids.
>>>>>       newusers: Add support for assiging subordinate uids and gids.
>>>>>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>>>>
>>>> Hi,
>>>>
>>>> Is there any intention to merge this (or any later version thereof) ?
>>>> I intend to start excluding uid ranges for containers usage in OpenVZ,
>>>> and support for that in tooling would come in handy.
>>>
>>> I don't know what the state of the main pkg-shadow package is.  I have
>>> heard anything and the repository seems to have been dormant since the
>>> last release almost a year ago.
>>>
>>> However the last I heard Serge was working on getting these changes into
>>> Ubuntu.
>>>
>>> So the intention is to get this code merged but I don't know what more
>>> needs to be done at this point.
>>>
>> I understand, this was more a question for the package maintainers.
>> It would be interesting for us to have those changes more widely
>> available than just @Ubuntu
> 
> Well, I would aim to get it into Debian, from where it should make it
> into all its downstreams eventually...  But I know that's not what you
> mean :)
> 
> Note that the core of this really isn't a big deal, and you can easily
> implement your own distro-independent wrappers.  Just provide an easy
> tool for admins to assign subuids to users, and a small setuid-root
> binary to allow users, subject to those constraints, to write to
> /proc/$$/uid_maps.
> 
> Shadow integration will be nice, but for your use case you should be
> able to by-step it until shadow integration is complete.
> 

Well, the main problem is that I don't talk on behalf of any distro. We
distribute OpenVZ, and would like to create containers such that each
container has its own user range - all that without having the
containers users conflicting with users created by useradd's normal
operation.

I am *hoping* that by selecting ranges high enough I will avoid
conflicts at least in the beginning, but it is a bit of guesswork.