[Pkg-shadow-devel] [PATCH 11/11] newuidmap, newgidmap: New suid helpers for using subordinate uids and gids
Serge Hallyn
serge.hallyn at ubuntu.com
Sat Oct 26 02:33:46 UTC 2013
Quoting Eric W. Biederman (ebiederm at xmission.com):
> "Serge E. Hallyn" <serge at hallyn.com> writes:
>
> > Quoting Eric W. Biederman (ebiederm at xmission.com):
> >
> > Hi,
> >
> >> +static bool verify_range(struct passwd *pw, struct map_range *range)
> >> +{
> >> + /* An empty range is invalid */
> >> + if (range->count == 0)
> >> + return false;
> >> +
> >> + /* Test /etc/subuid */
> >> + if (have_sub_uids(pw->pw_name, range->lower, range->count))
> >> + return true;
> >
> > I think the have_sub_uids() test should be skipped if we started
> > out as root. Is there a reason not to do that?
>
> The only reason I can see for root to use this binary is if it a flavor
> of root that has dropped some capbilities. Is there a reason for root
> to use newuidmap and newgid map at all?
Of course. It keeps things simpler for creating mapped containers.
Otherwise we have to special-case the "i am root" vs "i am not root"
case when untarring a rootfs for a container.
> Otherwise I think it makes sense to enforce whatever the system choosen
> policy is on root, because root is opting in.
>
> Eric
> _______________________________________________
> Containers mailing list
> Containers at lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
More information about the Pkg-shadow-devel
mailing list