[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Serge Hallyn serge at hallyn.com
Mon Jul 29 00:33:38 UTC 2013


ebiederm at xmission.com wrote:

>Christian PERRIER <bubulle at debian.org> writes:
>
>> Quoting Eric W. Biederman (ebiederm at xmission.com):
>>> 
>>> The kernel support for user namespaces allows ordinary users to use
>>> multiple uids and gids if they can get a trusted program to tell the
>>> kernel the set of subordinate uids and gids they are allowed to use.
>>> 
>>> This is my work to make that trusted program.
>>> Two new files are added /etc/subuid /etc/subgid that specify
>>> ranges of uids and gids that users may uses.
>>> 
>>> useradd, and newusers are modifed to add users to those files.
>>> 
>>> userdel is modeifed to remove users from those files.
>>> 
>>> usermod is modified to give manual control of what goes in those
>files.
>>> 
>>> newuidmap and newgidmap read the new files and update
>>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
>>> as requested by their command line parameters and as allowed
>>> by the /etc/subuid and /etc/subgid.
>>> 
>>> The following patches are against the current developent trunk
>>> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
>>> these patches also apply to shadow 4.1.5.
>>> 
>>> Eric W. Biederman (11):
>>>       Documentation for /etc/subuid and /etc/subgid
>>>       login.defs.5: Document the new variables in login.defs
>>>       Implement commonio_append.
>>>       Add backend support for suboridnate uids and gids
>>>       Implement find_new_sub_uids find_new_sub_gids
>>>       userdel: Add support for removing subordinate user and group
>ids.
>>>       useradd: Add support for subordinate user identifiers
>>>       Add support for detecting busy subordinate user ids
>>>       usermod: Add support for subordinate uids and gids.
>>>       newusers: Add support for assiging subordinate uids and gids.
>>>       newuidmap,newgidmap: New suid helpers for using subordinate
>uids and gids
>>> ---
>>
>> OK, now we're ready for this.
>>
>> Eric, I have no skills to decide whether your patches can be included
>> or not. My proposal is to go ahead and include them in the upcomign
>> 4.2 release, that will be compiled and uploaded in Debian as soon as
>> released, so that it gets extensive testing.
>>
>> We now have an "upstream" git repository at
>>
>>
>> http://github.com/shadow-maint/shadow.git
>>
>> Would you mind pushing your set of patches there?
>>
>> That requires an account on github and include you in the project
>> members (Serge Hallyn can do that).
>>
>> I would prefer this over committing/pushing myself.
>>
>> I really apologize for the too long delay working on this. We now
>need
>> to revive shadow's development.
>
>Understood.
>
>At this point Serge has taken over stewardship of those patches and has
>a version with all of the known bug fixes applied that has been
>reviewed
>and included in Ubuntu.  So I expect the most responsible way is to
>just
>pull the branch with those changes that is in Ubuntu.
>
>Serge does that sound right?
>
>Eric

Sorry think I just sent a private reply.  To repeat, I can do this when I'm back at a kbd, maybe Friday, definately Monday.

Thanks,
-serge


More information about the Containers mailing list