[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Vasily Kulikov
segoon at openwall.com
Wed Jan 30 07:38:16 UTC 2013
On Tue, Jan 29, 2013 at 22:40 -0800, Eric W. Biederman wrote:
> Vasily Kulikov <segoon at openwall.com> writes:
> > Why patch shadow tools? Why not implement the feature as a PAM
> > module?
>
> I need hooks into useradd and userdel to managed the subordinate
> user ids and group ids when users are added and removed from the
> system. PAM doesn't appear to have any hooks like that at all.
>
> Furthermore shadow-utils is where other uids and gids are allocated
> and it makes sense to keep the allocation functions together so if it
> makes sense they can talk to each other
>
> > All other capabilities granting things are implemented as PAM modules:
> > pam_group, pam_namespace, pam_cap.
>
> Except when you want to program the mapping is not at login time.
[...]
Understood. So, a user needs to:
1) be able to reserve [ug]id ranges (more specifically, root allocated
the range). These ranges should not be allocated by useradd, etc. afterwards.
2) be able to write to uid_map/gid_map files anytime with reserved
values of current user.
In this case patching shadow utils looks appropriate, yes.
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
More information about the Pkg-shadow-devel
mailing list