[Pkg-shadow-devel] [test] newuidmap/newgidmap

Philippe Grégoire gregoirep at hotmail.com
Tue Jun 3 15:14:02 UTC 2014


This is a follow-up on Christian Perrier's feedback request. Also, this issue is
related to the shadow package in general not specifically Debian. Please feel
free, to redirect to appropriate channels.

Currently, calling newuidmap fails if called by root; which I used to consider
non-sense. Checking newuidmap's code shows that only /etc/subuid and "$d $userid 1"
are allowed to be specified. Thus, if root is not present in subuid, the call

I considered adding a getuid-type check for root, then a capget() for CAP_SETUID
and then considered doing the same checks the kernel does. Well, that would
amount to copying what the kernel does, which is never a good thing. Putting it
simply, newuidmap is meant to be used by regular users..

The more appropriate response would be to add a note to the manual mentionning
that a user should do some kind of

  echo $mapping > /proc/[pid]/uid_map

if newuidmap fails with a specific error code. Also, newuidmap would have to
return the aforementioned code in verify_ranges() (instead of EXIT_FAILURE).

This also applies to newgidmap(1).

P. Grégoire

More information about the Pkg-shadow-devel mailing list