[PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The kernel support for user namespaces allows ordinary users to use
multiple uids and gids if they can get a trusted program to tell the
kernel the set of subordinate uids and gids they are allowed to use.

This is my work to make that trusted program.
Two new files are added /etc/subuid /etc/subgid that specify
ranges of uids and gids that users may uses.

useradd, and newusers are modifed to add users to those files.

userdel is modeifed to remove users from those files.

usermod is modified to give manual control of what goes in those files.

newuidmap and newgidmap read the new files and update
/proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
as requested by their command line parameters and as allowed
by the /etc/subuid and /etc/subgid.

The following patches are against the current developent trunk
of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
these patches also apply to shadow 4.1.5.

Eric W. Biederman (11):
      Documentation for /etc/subuid and /etc/subgid
      login.defs.5: Document the new variables in login.defs
      Implement commonio_append.
      Add backend support for suboridnate uids and gids
      Implement find_new_sub_uids find_new_sub_gids
      userdel: Add support for removing subordinate user and group ids.
      useradd: Add support for subordinate user identifiers
      Add support for detecting busy subordinate user ids
      usermod: Add support for subordinate uids and gids.
      newusers: Add support for assiging subordinate uids and gids.
      newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
---

 etc/login.defs                     |    8 +
 lib/Makefile.am                    |    2 +
 lib/commonio.c                     |   30 ++
 lib/commonio.h                     |    1 +
 lib/getdef.c                       |    6 +
 lib/prototypes.h                   |    9 +
 lib/subordinateio.c                |  512 ++++++++++++++++++++++++++++++++++++
 lib/subordinateio.h                |   38 +++
 libmisc/Makefile.am                |    4 +
 libmisc/find_new_sub_gids.c        |   87 ++++++
 libmisc/find_new_sub_uids.c        |   87 ++++++
 libmisc/idmapping.c                |  126 +++++++++
 libmisc/idmapping.h                |   44 +++
 libmisc/user_busy.c                |   18 +-
 man/Makefile.am                    |   10 +
 man/login.defs.5.xml               |    8 +
 man/login.defs.d/SUB_GID_COUNT.xml |   46 ++++
 man/login.defs.d/SUB_UID_COUNT.xml |   46 ++++
 man/newgidmap.1.xml                |  157 +++++++++++
 man/newuidmap.1.xml                |  154 +++++++++++
 man/subgid.5.xml                   |  120 +++++++++
 man/subuid.5.xml                   |  120 +++++++++
 man/usermod.8.xml                  |   80 ++++++
 src/Makefile.am                    |    5 +-
 src/newgidmap.c                    |  183 +++++++++++++
 src/newuidmap.c                    |  183 +++++++++++++
 src/newusers.c                     |  124 +++++++++
 src/useradd.c                      |  141 ++++++++++-
 src/userdel.c                      |  115 ++++++++
 src/usermod.c                      |  255 ++++++++++++++++++-
 30 files changed, 2708 insertions(+), 11 deletions(-)
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux