[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Vasily Kulikov segoon at openwall.com
Wed Jan 30 07:38:16 UTC 2013

On Tue, Jan 29, 2013 at 22:40 -0800, Eric W. Biederman wrote:
> Vasily Kulikov <segoon at openwall.com> writes:
> > Why patch shadow tools?  Why not implement the feature as a PAM
> > module?
> I need hooks into useradd and userdel to managed the subordinate
> user ids and group ids when users are added and removed from the
> system.  PAM doesn't appear to have any hooks like that at all.
> Furthermore shadow-utils is where other uids and gids are allocated
> and it makes sense to keep the allocation functions together so if it
> makes sense they can talk to each other
> > All other capabilities granting things are implemented as PAM modules:
> > pam_group, pam_namespace, pam_cap.
> Except when you want to program the mapping is not at login time.

Understood.  So, a user needs to:

1) be able to reserve [ug]id ranges (more specifically, root allocated
the range).  These ranges should not be allocated by useradd, etc. afterwards.

2) be able to write to uid_map/gid_map files anytime with reserved
values of current user.

In this case patching shadow utils looks appropriate, yes.


Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments

More information about the Pkg-shadow-devel mailing list