[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

[Eric W. Biederman]

Christian PERRIER <bubulle at debian.org> writes:

> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> 
>> The kernel support for user namespaces allows ordinary users to use
>> multiple uids and gids if they can get a trusted program to tell the
>> kernel the set of subordinate uids and gids they are allowed to use.
>> 
>> This is my work to make that trusted program.
>> Two new files are added /etc/subuid /etc/subgid that specify
>> ranges of uids and gids that users may uses.
>> 
>> useradd, and newusers are modifed to add users to those files.
>> 
>> userdel is modeifed to remove users from those files.
>> 
>> usermod is modified to give manual control of what goes in those files.
>> 
>> newuidmap and newgidmap read the new files and update
>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>> as requested by their command line parameters and as allowed
>> by the /etc/subuid and /etc/subgid.
>> 
>> The following patches are against the current developent trunk
>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
>> these patches also apply to shadow 4.1.5.
>> 
>> Eric W. Biederman (11):
>>       Documentation for /etc/subuid and /etc/subgid
>>       login.defs.5: Document the new variables in login.defs
>>       Implement commonio_append.
>>       Add backend support for suboridnate uids and gids
>>       Implement find_new_sub_uids find_new_sub_gids
>>       userdel: Add support for removing subordinate user and group ids.
>>       useradd: Add support for subordinate user identifiers
>>       Add support for detecting busy subordinate user ids
>>       usermod: Add support for subordinate uids and gids.
>>       newusers: Add support for assiging subordinate uids and gids.
>>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>> ---
>
> OK, now we're ready for this.
>
> Eric, I have no skills to decide whether your patches can be included
> or not. My proposal is to go ahead and include them in the upcomign
> 4.2 release, that will be compiled and uploaded in Debian as soon as
> released, so that it gets extensive testing.
>
> We now have an "upstream" git repository at
>
>
> http://github.com/shadow-maint/shadow.git
>
> Would you mind pushing your set of patches there?
>
> That requires an account on github and include you in the project
> members (Serge Hallyn can do that).
>
> I would prefer this over committing/pushing myself.
>
> I really apologize for the too long delay working on this. We now need
> to revive shadow's development.

Understood.

At this point Serge has taken over stewardship of those patches and has
a version with all of the known bug fixes applied that has been reviewed
and included in Ubuntu.  So I expect the most responsible way is to just
pull the branch with those changes that is in Ubuntu.

Serge does that sound right?

Eric