Hello guixers,

I just sent a couple of patches [0] adding a full Scheme implementation 
of the bits of Shadow that read and write /etc/subuid and /etc/subgid, 
and some logic to handle generic requests from users that don't care 
about specific ranges but just want to have some subids .

The result is a simple Guix System service that allows users to setup 
these files on they're system. I hope this can be sound foundation for 
the rootless-podman-service-type that I plan to implement .

I'm pasting here an excerpt of the documentation.

The (gnu system shadow) module exposes the subids-service-type, its 
configuration record subids-configuration and its extension record 
subids-extension.

With subids-service-type, subuids and subgids ranges can be reserved for 
users that desire so:

(use-modules (gnu system shadow)      ;for 'subids-service-type'
              (gnu system accounts))   ;for 'subid-range'

(operating-system
   (services
     (list
       (simple-service 'alice-bob-subids
                       subids-service-type
                       (subids-extension
                         (subgids
                          (list
                           (subid-range (name "alice"))))
                         (subuids
                          (list
                           (subid-range (name "alice"))
                           (subid-range (name "bob")
                                        (start 100700)))))))))

Users (definitely other services), usually, are supposed to extend the 
service instead of adding subids directly to subids-configuration, 
unless they want to change the default behavior for root.  With default 
settings the subids-service-type adds, if it's not already there, a 
configuration for the root account to both /etc/subuid and /etc/subgid, 
possibly starting at the minimum possible subid.  Otherwise the root 
subuids and subgids ranges are fitted wherever possible.

The above configuration will yield the following:

# cat /etc/subgid
root:100000:65536
alice:165536:65536


# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536


This is a request for comments both here and in issue#72337 so please 
let me know what you think.

Thank you for your help,

giacomo

[0]: https://issues.guix.gnu.org/72337