[PATCH 11/11] newuidmap, newgidmap: New suid helpers for using subordinate uids and gids

Eric W. Biederman ebiederm at xmission.com
Sat Oct 26 00:42:12 UTC 2013


"Serge E. Hallyn" <serge at hallyn.com> writes:

> Quoting Eric W. Biederman (ebiederm at xmission.com):
>
> Hi,
>
>> +static bool verify_range(struct passwd *pw, struct map_range *range)
>> +{
>> +	/* An empty range is invalid */
>> +	if (range->count == 0)
>> +		return false;
>> +
>> +	/* Test /etc/subuid */
>> +	if (have_sub_uids(pw->pw_name, range->lower, range->count))
>> +		return true;
>
> I think the have_sub_uids() test should be skipped if we started
> out as root.  Is there a reason not to do that?

The only reason I can see for root to use this binary is if it a flavor
of root that has dropped some capbilities.  Is there a reason for root
to use newuidmap and newgid map at all?

Otherwise I think it makes sense to enforce whatever the system choosen
policy is on root, because root is opting in.

Eric


More information about the Containers mailing list