[Pkg-shadow-devel] [test] newuidmap/newgidmap
Philippe Grégoire
gregoirep at hotmail.com
Tue Jun 3 16:39:03 UTC 2014
On 2014-06-03 15:38:05 (+0000), Serge Hallyn wrote:
> Quoting Philippe Grégoire (gregoirep at hotmail.com):
>
> I personally still feel as you do, that root should be a special case who can
> do as he likes; OTOH it's not an unreasonable argument that (a) root can do
> as he likes manually anyway, and (b) requiring this gives some default
> protective isolation of subuids for root.
Actually, I believe that, because root can do arbitrary mappings using /proc,
there is no _need_ for an exception.
The main goal here is to prevent collisions and privilege escalations if users
were allowed to do arbitrary mappings. /etc/subuid allows just that by enabling
users to do mappings (with the help of a SETUID program) to ranges specified by
the administrator (or programmatically, in the case of adduser). While it is
true that root can have subids, it cannot be enforced, utltimately, by
newuidmap.
If one would want to enforce subids for root, one may want to investigate a
/proc/.../subuid interface. That could probably leave the whole restriction
process in the kernel, remove the need for newuidmap and have the administrator
allocate subuids for himself before using them.
In any case, the thing here is about assumptions. newuidmap is not a front-end
but a dedicated tool. To avoid confusion, the manual should be more factual and
recommend checking the mapping with the kernel for a definitive answer.
P. Grégoire
More information about the Pkg-shadow-devel
mailing list