[Pkg-shadow-devel] [test] newuidmap/newgidmap

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 3 15:38:05 UTC 2014


Quoting Philippe Grégoire (gregoirep at hotmail.com):
> Hi,
> 
> This is a follow-up on Christian Perrier's feedback request. Also, this issue is
> related to the shadow package in general not specifically Debian. Please feel
> free, to redirect to appropriate channels.
> 
> Currently, calling newuidmap fails if called by root; which I used to consider
> non-sense. Checking newuidmap's code shows that only /etc/subuid and "$d $userid 1"
> are allowed to be specified. Thus, if root is not present in subuid, the call
> fails.
> 
> I considered adding a getuid-type check for root, then a capget() for CAP_SETUID
> and then considered doing the same checks the kernel does. Well, that would
> amount to copying what the kernel does, which is never a good thing. Putting it
> simply, newuidmap is meant to be used by regular users..
> 
> The more appropriate response would be to add a note to the manual mentionning
> that a user should do some kind of
> 
>   echo $mapping > /proc/[pid]/uid_map
> 
> if newuidmap fails with a specific error code. Also, newuidmap would have to
> return the aforementioned code in verify_ranges() (instead of EXIT_FAILURE).
> 
> This also applies to newgidmap(1).

Yeah, Eric and I discussed this a bit in this thread (which this list was also
cc:d on)  :

http://www.spinics.net/lists/linux-containers/msg28882.html

I personally still feel as you do, that root should be a special case who can
do as he likes;  OTOH it's not an unreasonable argument that (a) root can do
as he likes manually anyway, and (b) requiring this gives some default
protective isolation of subuids for root.

-serge



More information about the Pkg-shadow-devel mailing list