ebiederm@xxxxxxxxxxxx wrote: >Christian PERRIER <bubulle@xxxxxxxxxx> writes: > >> Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): >>> >>> The kernel support for user namespaces allows ordinary users to use >>> multiple uids and gids if they can get a trusted program to tell the >>> kernel the set of subordinate uids and gids they are allowed to use. >>> >>> This is my work to make that trusted program. >>> Two new files are added /etc/subuid /etc/subgid that specify >>> ranges of uids and gids that users may uses. >>> >>> useradd, and newusers are modifed to add users to those files. >>> >>> userdel is modeifed to remove users from those files. >>> >>> usermod is modified to give manual control of what goes in those >files. >>> >>> newuidmap and newgidmap read the new files and update >>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively >>> as requested by their command line parameters and as allowed >>> by the /etc/subuid and /etc/subgid. >>> >>> The following patches are against the current developent trunk >>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am >>> these patches also apply to shadow 4.1.5. >>> >>> Eric W. Biederman (11): >>> Documentation for /etc/subuid and /etc/subgid >>> login.defs.5: Document the new variables in login.defs >>> Implement commonio_append. >>> Add backend support for suboridnate uids and gids >>> Implement find_new_sub_uids find_new_sub_gids >>> userdel: Add support for removing subordinate user and group >ids. >>> useradd: Add support for subordinate user identifiers >>> Add support for detecting busy subordinate user ids >>> usermod: Add support for subordinate uids and gids. >>> newusers: Add support for assiging subordinate uids and gids. >>> newuidmap,newgidmap: New suid helpers for using subordinate >uids and gids >>> --- >> >> OK, now we're ready for this. >> >> Eric, I have no skills to decide whether your patches can be included >> or not. My proposal is to go ahead and include them in the upcomign >> 4.2 release, that will be compiled and uploaded in Debian as soon as >> released, so that it gets extensive testing. >> >> We now have an "upstream" git repository at >> >> >> http://github.com/shadow-maint/shadow.git >> >> Would you mind pushing your set of patches there? >> >> That requires an account on github and include you in the project >> members (Serge Hallyn can do that). >> >> I would prefer this over committing/pushing myself. >> >> I really apologize for the too long delay working on this. We now >need >> to revive shadow's development. > >Understood. > >At this point Serge has taken over stewardship of those patches and has >a version with all of the known bug fixes applied that has been >reviewed >and included in Ubuntu. So I expect the most responsible way is to >just >pull the branch with those changes that is in Ubuntu. > >Serge does that sound right? > >Eric Sorry think I just sent a private reply. To repeat, I can do this when I'm back at a kbd, maybe Friday, definately Monday. Thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
