From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces Date: Sun, 28 Jul 2013 10:58:29 -0700 Message-ID: <87r4eilg6y.fsf@xmission.com> References: <87d2wxshu0.fsf@xmission.com> <20130728171451.GX5670@mykerinos.kheops.frmug.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20130728171451.GX5670-FvNwPcshoeM/MCprI7ZU+I/wHUNs+SP4HZ5vskTnxNA@public.gmane.org> (Christian PERRIER's message of "Sun, 28 Jul 2013 19:14:51 +0200") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Christian PERRIER Cc: Linux Containers , Pkg-shadow-devel-XbBxUvOt3X2LieD7tvxI8l/i77bcL1HB@public.gmane.org, "Michael Kerrisk (man-pages)" , Nicolas =?utf-8?Q?Fran=C3=A7ois?= List-Id: containers.vger.kernel.org Christian PERRIER writes: > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): >> >> The kernel support for user namespaces allows ordinary users to use >> multiple uids and gids if they can get a trusted program to tell the >> kernel the set of subordinate uids and gids they are allowed to use. >> >> This is my work to make that trusted program. >> Two new files are added /etc/subuid /etc/subgid that specify >> ranges of uids and gids that users may uses. >> >> useradd, and newusers are modifed to add users to those files. >> >> userdel is modeifed to remove users from those files. >> >> usermod is modified to give manual control of what goes in those files. >> >> newuidmap and newgidmap read the new files and update >> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively >> as requested by their command line parameters and as allowed >> by the /etc/subuid and /etc/subgid. >> >> The following patches are against the current developent trunk >> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am >> these patches also apply to shadow 4.1.5. >> >> Eric W. Biederman (11): >> Documentation for /etc/subuid and /etc/subgid >> login.defs.5: Document the new variables in login.defs >> Implement commonio_append. >> Add backend support for suboridnate uids and gids >> Implement find_new_sub_uids find_new_sub_gids >> userdel: Add support for removing subordinate user and group ids. >> useradd: Add support for subordinate user identifiers >> Add support for detecting busy subordinate user ids >> usermod: Add support for subordinate uids and gids. >> newusers: Add support for assiging subordinate uids and gids. >> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids >> --- > > OK, now we're ready for this. > > Eric, I have no skills to decide whether your patches can be included > or not. My proposal is to go ahead and include them in the upcomign > 4.2 release, that will be compiled and uploaded in Debian as soon as > released, so that it gets extensive testing. > > We now have an "upstream" git repository at > > > http://github.com/shadow-maint/shadow.git > > Would you mind pushing your set of patches there? > > That requires an account on github and include you in the project > members (Serge Hallyn can do that). > > I would prefer this over committing/pushing myself. > > I really apologize for the too long delay working on this. We now need > to revive shadow's development. Understood. At this point Serge has taken over stewardship of those patches and has a version with all of the known bug fixes applied that has been reviewed and included in Ubuntu. So I expect the most responsible way is to just pull the branch with those changes that is in Ubuntu. Serge does that sound right? Eric