[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Christian PERRIER bubulle at debian.org
Sun Jul 28 17:14:51 UTC 2013


Quoting Eric W. Biederman (ebiederm at xmission.com):
> 
> The kernel support for user namespaces allows ordinary users to use
> multiple uids and gids if they can get a trusted program to tell the
> kernel the set of subordinate uids and gids they are allowed to use.
> 
> This is my work to make that trusted program.
> Two new files are added /etc/subuid /etc/subgid that specify
> ranges of uids and gids that users may uses.
> 
> useradd, and newusers are modifed to add users to those files.
> 
> userdel is modeifed to remove users from those files.
> 
> usermod is modified to give manual control of what goes in those files.
> 
> newuidmap and newgidmap read the new files and update
> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
> as requested by their command line parameters and as allowed
> by the /etc/subuid and /etc/subgid.
> 
> The following patches are against the current developent trunk
> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
> these patches also apply to shadow 4.1.5.
> 
> Eric W. Biederman (11):
>       Documentation for /etc/subuid and /etc/subgid
>       login.defs.5: Document the new variables in login.defs
>       Implement commonio_append.
>       Add backend support for suboridnate uids and gids
>       Implement find_new_sub_uids find_new_sub_gids
>       userdel: Add support for removing subordinate user and group ids.
>       useradd: Add support for subordinate user identifiers
>       Add support for detecting busy subordinate user ids
>       usermod: Add support for subordinate uids and gids.
>       newusers: Add support for assiging subordinate uids and gids.
>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
> ---

OK, now we're ready for this.

Eric, I have no skills to decide whether your patches can be included
or not. My proposal is to go ahead and include them in the upcomign
4.2 release, that will be compiled and uploaded in Debian as soon as
released, so that it gets extensive testing.

We now have an "upstream" git repository at


http://github.com/shadow-maint/shadow.git

Would you mind pushing your set of patches there?

That requires an account on github and include you in the project
members (Serge Hallyn can do that).

I would prefer this over committing/pushing myself.

I really apologize for the too long delay working on this. We now need
to revive shadow's development.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20130728/820f7ef4/attachment.sig>


More information about the Containers mailing list