Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > > The kernel support for user namespaces allows ordinary users to use > multiple uids and gids if they can get a trusted program to tell the > kernel the set of subordinate uids and gids they are allowed to use. > > This is my work to make that trusted program. > Two new files are added /etc/subuid /etc/subgid that specify > ranges of uids and gids that users may uses. > > useradd, and newusers are modifed to add users to those files. > > userdel is modeifed to remove users from those files. > > usermod is modified to give manual control of what goes in those files. > > newuidmap and newgidmap read the new files and update > /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively > as requested by their command line parameters and as allowed > by the /etc/subuid and /etc/subgid. > > The following patches are against the current developent trunk > of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am > these patches also apply to shadow 4.1.5. > > Eric W. Biederman (11): > Documentation for /etc/subuid and /etc/subgid > login.defs.5: Document the new variables in login.defs > Implement commonio_append. > Add backend support for suboridnate uids and gids > Implement find_new_sub_uids find_new_sub_gids > userdel: Add support for removing subordinate user and group ids. > useradd: Add support for subordinate user identifiers > Add support for detecting busy subordinate user ids > usermod: Add support for subordinate uids and gids. > newusers: Add support for assiging subordinate uids and gids. > newuidmap,newgidmap: New suid helpers for using subordinate uids and gids > --- OK, now we're ready for this. Eric, I have no skills to decide whether your patches can be included or not. My proposal is to go ahead and include them in the upcomign 4.2 release, that will be compiled and uploaded in Debian as soon as released, so that it gets extensive testing. We now have an "upstream" git repository at http://github.com/shadow-maint/shadow.git Would you mind pushing your set of patches there? That requires an account on github and include you in the project members (Serge Hallyn can do that). I would prefer this over committing/pushing myself. I really apologize for the too long delay working on this. We now need to revive shadow's development.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers