[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Eric W. Biederman ebiederm at xmission.com
Sun Jul 28 17:58:29 UTC 2013


Christian PERRIER <bubulle at debian.org> writes:

> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> 
>> The kernel support for user namespaces allows ordinary users to use
>> multiple uids and gids if they can get a trusted program to tell the
>> kernel the set of subordinate uids and gids they are allowed to use.
>> 
>> This is my work to make that trusted program.
>> Two new files are added /etc/subuid /etc/subgid that specify
>> ranges of uids and gids that users may uses.
>> 
>> useradd, and newusers are modifed to add users to those files.
>> 
>> userdel is modeifed to remove users from those files.
>> 
>> usermod is modified to give manual control of what goes in those files.
>> 
>> newuidmap and newgidmap read the new files and update
>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>> as requested by their command line parameters and as allowed
>> by the /etc/subuid and /etc/subgid.
>> 
>> The following patches are against the current developent trunk
>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
>> these patches also apply to shadow 4.1.5.
>> 
>> Eric W. Biederman (11):
>>       Documentation for /etc/subuid and /etc/subgid
>>       login.defs.5: Document the new variables in login.defs
>>       Implement commonio_append.
>>       Add backend support for suboridnate uids and gids
>>       Implement find_new_sub_uids find_new_sub_gids
>>       userdel: Add support for removing subordinate user and group ids.
>>       useradd: Add support for subordinate user identifiers
>>       Add support for detecting busy subordinate user ids
>>       usermod: Add support for subordinate uids and gids.
>>       newusers: Add support for assiging subordinate uids and gids.
>>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
>> ---
>
> OK, now we're ready for this.
>
> Eric, I have no skills to decide whether your patches can be included
> or not. My proposal is to go ahead and include them in the upcomign
> 4.2 release, that will be compiled and uploaded in Debian as soon as
> released, so that it gets extensive testing.
>
> We now have an "upstream" git repository at
>
>
> http://github.com/shadow-maint/shadow.git
>
> Would you mind pushing your set of patches there?
>
> That requires an account on github and include you in the project
> members (Serge Hallyn can do that).
>
> I would prefer this over committing/pushing myself.
>
> I really apologize for the too long delay working on this. We now need
> to revive shadow's development.

Understood.

At this point Serge has taken over stewardship of those patches and has
a version with all of the known bug fixes applied that has been reviewed
and included in Ubuntu.  So I expect the most responsible way is to just
pull the branch with those changes that is in Ubuntu.

Serge does that sound right?

Eric



More information about the Containers mailing list