[Pkg-shadow-devel] [test] newuidmap/newgidmap
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Jun 3 15:38:05 UTC 2014
Quoting Philippe Grégoire (gregoirep at hotmail.com):
> Hi,
>
> This is a follow-up on Christian Perrier's feedback request. Also, this issue is
> related to the shadow package in general not specifically Debian. Please feel
> free, to redirect to appropriate channels.
>
> Currently, calling newuidmap fails if called by root; which I used to consider
> non-sense. Checking newuidmap's code shows that only /etc/subuid and "$d $userid 1"
> are allowed to be specified. Thus, if root is not present in subuid, the call
> fails.
>
> I considered adding a getuid-type check for root, then a capget() for CAP_SETUID
> and then considered doing the same checks the kernel does. Well, that would
> amount to copying what the kernel does, which is never a good thing. Putting it
> simply, newuidmap is meant to be used by regular users..
>
> The more appropriate response would be to add a note to the manual mentionning
> that a user should do some kind of
>
> echo $mapping > /proc/[pid]/uid_map
>
> if newuidmap fails with a specific error code. Also, newuidmap would have to
> return the aforementioned code in verify_ranges() (instead of EXIT_FAILURE).
>
> This also applies to newgidmap(1).
Yeah, Eric and I discussed this a bit in this thread (which this list was also
cc:d on) :
http://www.spinics.net/lists/linux-containers/msg28882.html
I personally still feel as you do, that root should be a special case who can
do as he likes; OTOH it's not an unreasonable argument that (a) root can do
as he likes manually anyway, and (b) requiring this gives some default
protective isolation of subuids for root.
-serge
More information about the Pkg-shadow-devel
mailing list