[PATCH 11/11] newuidmap, newgidmap: New suid helpers for using subordinate uids and gids

Serge Hallyn serge.hallyn at ubuntu.com
Sat Oct 26 02:33:46 UTC 2013


Quoting Eric W. Biederman (ebiederm at xmission.com):
> "Serge E. Hallyn" <serge at hallyn.com> writes:
> 
> > Quoting Eric W. Biederman (ebiederm at xmission.com):
> >
> > Hi,
> >
> >> +static bool verify_range(struct passwd *pw, struct map_range *range)
> >> +{
> >> +	/* An empty range is invalid */
> >> +	if (range->count == 0)
> >> +		return false;
> >> +
> >> +	/* Test /etc/subuid */
> >> +	if (have_sub_uids(pw->pw_name, range->lower, range->count))
> >> +		return true;
> >
> > I think the have_sub_uids() test should be skipped if we started
> > out as root.  Is there a reason not to do that?
> 
> The only reason I can see for root to use this binary is if it a flavor
> of root that has dropped some capbilities.  Is there a reason for root
> to use newuidmap and newgid map at all?

Of course.  It keeps things simpler for creating mapped containers.
Otherwise we have to special-case the "i am root" vs "i am not root"
case when untarring a rootfs for a container.

> Otherwise I think it makes sense to enforce whatever the system choosen
> policy is on root, because root is opting in.
> 
> Eric
> _______________________________________________
> Containers mailing list
> Containers at lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers


More information about the Containers mailing list