On Tue, Jan 29, 2013 at 22:40 -0800, Eric W. Biederman wrote: > Vasily Kulikov <segoon@xxxxxxxxxxxx> writes: > > Why patch shadow tools? Why not implement the feature as a PAM > > module? > > I need hooks into useradd and userdel to managed the subordinate > user ids and group ids when users are added and removed from the > system. PAM doesn't appear to have any hooks like that at all. > > Furthermore shadow-utils is where other uids and gids are allocated > and it makes sense to keep the allocation functions together so if it > makes sense they can talk to each other > > > All other capabilities granting things are implemented as PAM modules: > > pam_group, pam_namespace, pam_cap. > > Except when you want to program the mapping is not at login time. [...] Understood. So, a user needs to: 1) be able to reserve [ug]id ranges (more specifically, root allocated the range). These ranges should not be allocated by useradd, etc. afterwards. 2) be able to write to uid_map/gid_map files anytime with reserved values of current user. In this case patching shadow utils looks appropriate, yes. Thanks, -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
