From: paul <goodoldpaul@autistici.org>
To: guix-devel@gnu.org
Subject: /etc/subuid and /etc/subgid support
Date: Sun, 28 Jul 2024 17:55:16 +0200 [thread overview]
Message-ID: <a4fca3ae-3991-7597-8a2d-c7ac51049584@autistici.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2554 bytes --]
Hello guixers,
I just sent a couple of patches [0] adding a full Scheme implementation
of the bits of Shadow that read and write /etc/subuid and /etc/subgid,
and some logic to handle generic requests from users that don't care
about specific ranges but just want to have some subids .
The result is a simple Guix System service that allows users to setup
these files on they're system. I hope this can be sound foundation for
the rootless-podman-service-type that I plan to implement .
I'm pasting here an excerpt of the documentation.
The (gnu system shadow) module exposes the subids-service-type, its
configuration record subids-configuration and its extension record
subids-extension.
With subids-service-type, subuids and subgids ranges can be reserved for
users that desire so:
(use-modules (gnu system shadow) ;for 'subids-service-type'
(gnu system accounts)) ;for 'subid-range'
(operating-system
(services
(list
(simple-service 'alice-bob-subids
subids-service-type
(subids-extension
(subgids
(list
(subid-range (name "alice"))))
(subuids
(list
(subid-range (name "alice"))
(subid-range (name "bob")
(start 100700)))))))))
Users (definitely other services), usually, are supposed to extend the
service instead of adding subids directly to subids-configuration,
unless they want to change the default behavior for root. With default
settings the subids-service-type adds, if it's not already there, a
configuration for the root account to both /etc/subuid and /etc/subgid,
possibly starting at the minimum possible subid. Otherwise the root
subuids and subgids ranges are fitted wherever possible.
The above configuration will yield the following:
# cat /etc/subgid
root:100000:65536
alice:165536:65536
# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536
This is a request for comments both here and in issue#72337 so please
let me know what you think.
Thank you for your help,
giacomo
[0]: https://issues.guix.gnu.org/72337
[-- Attachment #2: Type: text/html, Size: 3175 bytes --]
next reply other threads:[~2024-07-28 15:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 15:55 paul [this message]
2024-08-12 14:19 ` /etc/subuid and /etc/subgid support Ludovic Courtès
2024-08-20 23:36 ` paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4fca3ae-3991-7597-8a2d-c7ac51049584@autistici.org \
--to=goodoldpaul@autistici.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).