Hello guixers,
I just sent a couple of patches [0] adding a full Scheme
implementation of the bits of Shadow that read and write
/etc/subuid and /etc/subgid, and some logic to handle generic
requests from users that don't care about specific ranges but just
want to have some subids .
The result is a simple Guix System service that allows users to
setup these files on they're system. I hope this can be sound
foundation for the rootless-podman-service-type that I plan to
implement .
I'm pasting here an excerpt of the documentation.
The (gnu system shadow) module exposes the subids-service-type,
its configuration record subids-configuration and its extension
record subids-extension.
With subids-service-type, subuids and subgids ranges can be
reserved for users that desire so:
(use-modules (gnu system shadow) ;for 'subids-service-type' (gnu system accounts)) ;for 'subid-range'
(operating-system (services (list (simple-service 'alice-bob-subids subids-service-type (subids-extension (subgids (list (subid-range (name "alice")))) (subuids (list (subid-range (name "alice")) (subid-range (name "bob") (start 100700)))))))))
Users (definitely other services), usually, are supposed to
extend the service instead of adding subids directly to
subids-configuration, unless they want to change the default
behavior for root. With default settings the subids-service-type
adds, if it's not already there, a configuration for the root
account to both /etc/subuid and /etc/subgid, possibly starting at
the minimum possible subid. Otherwise the root subuids and
subgids ranges are fitted wherever possible.
The above configuration will yield the following:
# cat /etc/subgid root:100000:65536 alice:165536:65536
# cat /etc/subuid root:100000:700 bob:100700:65536 alice:166236:65536
This is a request for comments both here and in issue#72337 so
please let me know what you think.
Thank you for your help,
giacomo
[0]: https://issues.guix.gnu.org/72337