[Pkg-shadow-devel] [PATCH 11/11] newuidmap, newgidmap: New suid helpers for using subordinate uids and gids

Eric W. Biederman ebiederm at xmission.com
Sat Oct 26 21:50:52 UTC 2013


Serge Hallyn <serge.hallyn at ubuntu.com> writes:

> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> "Serge E. Hallyn" <serge at hallyn.com> writes:
>> 
>> > Quoting Eric W. Biederman (ebiederm at xmission.com):
>> >
>> > Hi,
>> >
>> >> +static bool verify_range(struct passwd *pw, struct map_range *range)
>> >> +{
>> >> +	/* An empty range is invalid */
>> >> +	if (range->count == 0)
>> >> +		return false;
>> >> +
>> >> +	/* Test /etc/subuid */
>> >> +	if (have_sub_uids(pw->pw_name, range->lower, range->count))
>> >> +		return true;
>> >
>> > I think the have_sub_uids() test should be skipped if we started
>> > out as root.  Is there a reason not to do that?
>> 
>> The only reason I can see for root to use this binary is if it a flavor
>> of root that has dropped some capbilities.  Is there a reason for root
>> to use newuidmap and newgid map at all?
>
> Of course.  It keeps things simpler for creating mapped containers.
> Otherwise we have to special-case the "i am root" vs "i am not root"
> case when untarring a rootfs for a container.

I guess my practical question is don't we want to reserve a range of
subuid's for root owned containers as well.  Just so that we know
someone is using those uids and we don't get them allocated to another
purpose?

Or am I missing something here?

Eric



More information about the Pkg-shadow-devel mailing list