shadow-utils/shadow-4.8.1-man_clarify_subid_delegation.patch

247 lines
9.9 KiB
Diff
Raw Normal View History

From d5b15f8633d0eabed885cd16feda224ec2d59072 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 24 May 2021 12:14:43 +0200
Subject: [PATCH] man: clarify subid delegation
Clarify that the subid delegation can only come from one source.
Moreover, add an example of what might happen if the subid source is NSS
and useradd is executed.
Related: https://github.com/shadow-maint/shadow/issues/331
---
man/newgidmap.1.xml | 12 +++++++++---
man/newuidmap.1.xml | 10 ++++++++--
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 76fc1e30..7aaf34bf 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -88,9 +88,15 @@
<title>DESCRIPTION</title>
<para>
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
- through the configured NSS subid module).
- Note that the root user is not exempted from the requirement for a valid
+ command line arguments and the gids allowed. The subid delegation can come either from files
+ (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
+ can be chosen at a time. So, for example, if the subid source is configured as NSS and
+ <command>groupadd</command> is executed, then the command will fail and the entry will not be
+ created in <filename>/etc/subgid</filename>.
+ </para>
+
+ <para>
+ Note that the root group is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index 44eca50a..4bc1ef7a 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -88,8 +88,14 @@
<title>DESCRIPTION</title>
<para>
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
- through the configured NSS subid module).
+ command line arguments and the uids allowed. The subid delegation can come either from files
+ (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
+ can be chosen at a time. So, for example, if the subid source is configured as NSS and
+ <command>useradd</command> is executed, then the command will fail and the entry will not be
+ created in <filename>/etc/subuid</filename>.
+ </para>
+
+ <para>
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
--
2.30.2
From 68ebbf936038e4e4c8b5105bd3246ef9709b6354 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 7 Jun 2021 11:50:56 +0200
Subject: [PATCH 1/2] man: clarify subid delegation behaviour
Following the discussion https://github.com/shadow-maint/shadow/pull/345
I have changed the documentation to clarify the behaviour of subid
delegation when any subid source except files is configured.
---
man/newgidmap.1.xml | 11 +++++------
man/newuidmap.1.xml | 11 +++++------
2 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 7aaf34bf..681aefcb 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -87,12 +87,11 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed. The subid delegation can come either from files
- (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
- can be chosen at a time. So, for example, if the subid source is configured as NSS and
- <command>groupadd</command> is executed, then the command will fail and the entry will not be
- created in <filename>/etc/subgid</filename>.
+ The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
+ based on its command line arguments and the gids allowed. Subgid
+ delegation can either be managed via <filename>/etc/subgid</filename>
+ or through the configured NSS subid module. These options are mutually
+ exclusive.
</para>
<para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index 4bc1ef7a..09e65d80 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -87,12 +87,11 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed. The subid delegation can come either from files
- (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
- can be chosen at a time. So, for example, if the subid source is configured as NSS and
- <command>useradd</command> is executed, then the command will fail and the entry will not be
- created in <filename>/etc/subuid</filename>.
+ The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
+ based on its command line arguments and the uids allowed. Subuid
+ delegation can either be managed via <filename>/etc/subuid</filename> or
+ through the configured NSS subid module. These options are mutually
+ exclusive.
</para>
<para>
--
2.31.1
From 0faec51bf0ec24e6e3d098cc55ed42584dd24efe Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 11 Jun 2021 15:25:42 +0200
Subject: [PATCH 2/2] man: definition and configuration of subid
Define the subid functionality and explain the way to configure its
delegation.
---
man/subgid.5.xml | 32 +++++++++++++++++++++++++++++++-
man/subuid.5.xml | 32 +++++++++++++++++++++++++++++++-
2 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index 70c561c4..02f421ab 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -38,6 +38,11 @@
<surname>Biederman</surname>
<contrib>Creation, 2013</contrib>
</author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
</refentryinfo>
<refmeta>
<refentrytitle>subgid</refentrytitle>
@@ -48,11 +53,36 @@
</refmeta>
<refnamediv id='name'>
<refname>subgid</refname>
- <refpurpose>the subordinate gid file</refpurpose>
+ <refpurpose>the configuration for subordinate group ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
+ <para>
+ Subgid authorizes a group id to map ranges of group ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate gids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of gids to
+ <filename>/etc/subgid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate gid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>groupadd</command> will only create entries in
+ <filename>/etc/subgid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
<para>
Each line in <filename>/etc/subgid</filename> contains
a user name and a range of subordinate group ids that user
diff --git a/man/subuid.5.xml b/man/subuid.5.xml
index ec6a85f5..990d162e 100644
--- a/man/subuid.5.xml
+++ b/man/subuid.5.xml
@@ -38,6 +38,11 @@
<surname>Biederman</surname>
<contrib>Creation, 2013</contrib>
</author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
</refentryinfo>
<refmeta>
<refentrytitle>subuid</refentrytitle>
@@ -48,11 +53,36 @@
</refmeta>
<refnamediv id='name'>
<refname>subuid</refname>
- <refpurpose>the subordinate uid file</refpurpose>
+ <refpurpose>the configuration for subordinate user ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
+ <para>
+ Subuid authorizes a user id to map ranges of user ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate uids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of uids to
+ <filename>/etc/subuid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate uid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>useradd</command> will only create entries in
+ <filename>/etc/subuid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
<para>
Each line in <filename>/etc/subuid</filename> contains
a user name and a range of subordinate user ids that user
--
2.31.1