[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Eric W. Biederman
ebiederm at xmission.com
Sun Jul 28 17:58:29 UTC 2013
Christian PERRIER <bubulle at debian.org> writes:
> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> The kernel support for user namespaces allows ordinary users to use
>> multiple uids and gids if they can get a trusted program to tell the
>> kernel the set of subordinate uids and gids they are allowed to use.
>> This is my work to make that trusted program.
>> Two new files are added /etc/subuid /etc/subgid that specify
>> ranges of uids and gids that users may uses.
>> useradd, and newusers are modifed to add users to those files.
>> userdel is modeifed to remove users from those files.
>> usermod is modified to give manual control of what goes in those files.
>> newuidmap and newgidmap read the new files and update
>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>> as requested by their command line parameters and as allowed
>> by the /etc/subuid and /etc/subgid.
>> The following patches are against the current developent trunk
>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am
>> these patches also apply to shadow 4.1.5.
>> Eric W. Biederman (11):
>> Documentation for /etc/subuid and /etc/subgid
>> login.defs.5: Document the new variables in login.defs
>> Implement commonio_append.
>> Add backend support for suboridnate uids and gids
>> Implement find_new_sub_uids find_new_sub_gids
>> userdel: Add support for removing subordinate user and group ids.
>> useradd: Add support for subordinate user identifiers
>> Add support for detecting busy subordinate user ids
>> usermod: Add support for subordinate uids and gids.
>> newusers: Add support for assiging subordinate uids and gids.
>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
> OK, now we're ready for this.
> Eric, I have no skills to decide whether your patches can be included
> or not. My proposal is to go ahead and include them in the upcomign
> 4.2 release, that will be compiled and uploaded in Debian as soon as
> released, so that it gets extensive testing.
> We now have an "upstream" git repository at
> Would you mind pushing your set of patches there?
> That requires an account on github and include you in the project
> members (Serge Hallyn can do that).
> I would prefer this over committing/pushing myself.
> I really apologize for the too long delay working on this. We now need
> to revive shadow's development.
At this point Serge has taken over stewardship of those patches and has
a version with all of the known bug fixes applied that has been reviewed
and included in Ubuntu. So I expect the most responsible way is to just
pull the branch with those changes that is in Ubuntu.
Serge does that sound right?
More information about the Containers