[Pkg-shadow-devel] [test] newuidmap/newgidmap
Philippe Grégoire
gregoirep at hotmail.com
Tue Jun 3 15:14:02 UTC 2014
Hi,
This is a follow-up on Christian Perrier's feedback request. Also, this issue is
related to the shadow package in general not specifically Debian. Please feel
free, to redirect to appropriate channels.
Currently, calling newuidmap fails if called by root; which I used to consider
non-sense. Checking newuidmap's code shows that only /etc/subuid and "$d $userid 1"
are allowed to be specified. Thus, if root is not present in subuid, the call
fails.
I considered adding a getuid-type check for root, then a capget() for CAP_SETUID
and then considered doing the same checks the kernel does. Well, that would
amount to copying what the kernel does, which is never a good thing. Putting it
simply, newuidmap is meant to be used by regular users..
The more appropriate response would be to add a note to the manual mentionning
that a user should do some kind of
echo $mapping > /proc/[pid]/uid_map
if newuidmap fails with a specific error code. Also, newuidmap would have to
return the aforementioned code in verify_ranges() (instead of EXIT_FAILURE).
This also applies to newgidmap(1).
P. Grégoire
More information about the Pkg-shadow-devel
mailing list