From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id oE4mLBpqpmZrMAEAqHPOHw:P1 (envelope-from ) for ; Sun, 28 Jul 2024 15:56:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id oE4mLBpqpmZrMAEAqHPOHw (envelope-from ) for ; Sun, 28 Jul 2024 17:56:10 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=autistici.org header.s=stigmate header.b="E/wod8il"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=autistici.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1722182170; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ToCLCgHdfe1m6x/IWJkGVwBL1lfAi6xEiCJ4V1odqwE=; b=XZCLyXkE4AaePaZvGm00UgNbxNoJCxVRltvrr+ksk0m+aYpV+ifECz0WacQVqLQoYMq+bg D6FQS0beBgVNY3zyVZ2Vj5cxbtq/JKieQxOhEedM/mkijSpfXPADb7mLcpKeKtmPwF642s W2ErusHPawH+4yaRMPT3Sv6kvC1pV93sxtSq/ylw1xbrQq4NJKUbU2OsOIsBa02tSaAnS7 k5Lq9fnAhuQq02SVH9aPG3XNK6/cEnJt6HP22cR6hg9+cQdxu3MpToMyg1uqcM+/I948Nc JBkTWFIFfTPhah5tD+V7FD6UhcJ+mA8SqtxPK+vU5dcGBPjyLY7MlRgSL3UL1A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=autistici.org header.s=stigmate header.b="E/wod8il"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=autistici.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1722182170; a=rsa-sha256; cv=none; b=dU7YoQ0MIOC8t1dN0dHQOa2bmmwZIgemd5NoYoSW8TcdL6kAr0vGiGuD+gDblfw2sio/fR UJNvesERVGhRDsQU2ECHZqh0UKCWiQCcMmlSxWlcphUlqtg4gSN7jJAgHxxbs/ZxW2tWI7 zSVxE5YueDxboRDQRiRyU8WuNKze6o8ujOpGg8eQYwJwM1J4Hz2QCI/yoJxJn7YgKcKylr rcVVF1RjA1aL2E7MoKo6VH/kLElBTw64HM7DygZWaQXYQDirXBiXyscMH1N2eqdBVA9/XI rRbOEIhqoHlcfw8ox176NvdNjv3wrNJaFjP7Pp88/Hs/uXKRwyiqS9q7FliYfA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 070DC6C6B0 for ; Sun, 28 Jul 2024 17:56:09 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sY6F6-0003XA-7X; Sun, 28 Jul 2024 11:55:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sY6F3-0003Vh-C4 for guix-devel@gnu.org; Sun, 28 Jul 2024 11:55:25 -0400 Received: from confino.investici.org ([2a11:7980:1::2:0]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sY6Ey-0002ut-L6 for guix-devel@gnu.org; Sun, 28 Jul 2024 11:55:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1722182117; bh=ToCLCgHdfe1m6x/IWJkGVwBL1lfAi6xEiCJ4V1odqwE=; h=Date:To:From:Subject:From; b=E/wod8ilUm2ypZJ3tPXMEQAVWpCSKTq8JulhdD7Z3rh2ehnZfqYHq5TmYuLM16Vum /rNdD1O2QLLzwAfNH4jVvqmC+0Kl6qTOBvH3GWOfZKaM9hTuR9EAOLi30kokoiXV6d DvcSgjdlG7CV0gnFjBqSclSNI4GixjrP6PQrh2cU= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WX5fs1rJmz112W for ; Sun, 28 Jul 2024 15:55:17 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WX5fs1Rn8z111D for ; Sun, 28 Jul 2024 15:55:17 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------vAI1kxvnaBTPc1LVla5USbPD" Message-ID: Date: Sun, 28 Jul 2024 17:55:16 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 To: guix-devel@gnu.org Content-Language: en-US From: paul Subject: /etc/subuid and /etc/subgid support Received-SPF: pass client-ip=2a11:7980:1::2:0; envelope-from=goodoldpaul@autistici.org; helo=confino.investici.org X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 070DC6C6B0 X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -10.11 X-Spam-Score: -10.11 X-TUID: X7GY2lrMJUsj This is a multi-part message in MIME format. --------------vAI1kxvnaBTPc1LVla5USbPD Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hello guixers, I just sent a couple of patches [0] adding a full Scheme implementation of the bits of Shadow that read and write /etc/subuid and /etc/subgid, and some logic to handle generic requests from users that don't care about specific ranges but just want to have some subids . The result is a simple Guix System service that allows users to setup these files on they're system. I hope this can be sound foundation for the rootless-podman-service-type that I plan to implement . I'm pasting here an excerpt of the documentation. The (gnu system shadow) module exposes the subids-service-type, its configuration record subids-configuration and its extension record subids-extension. With subids-service-type, subuids and subgids ranges can be reserved for users that desire so: (use-modules (gnu system shadow)      ;for 'subids-service-type' (gnu system accounts))   ;for 'subid-range' (operating-system   (services     (list       (simple-service 'alice-bob-subids                       subids-service-type                       (subids-extension                         (subgids                          (list                           (subid-range (name "alice"))))                         (subuids                          (list                           (subid-range (name "alice"))                           (subid-range (name "bob")                                        (start 100700))))))))) Users (definitely other services), usually, are supposed to extend the service instead of adding subids directly to subids-configuration, unless they want to change the default behavior for root.  With default settings the subids-service-type adds, if it's not already there, a configuration for the root account to both /etc/subuid and /etc/subgid, possibly starting at the minimum possible subid.  Otherwise the root subuids and subgids ranges are fitted wherever possible. The above configuration will yield the following: # cat /etc/subgid root:100000:65536 alice:165536:65536 # cat /etc/subuid root:100000:700 bob:100700:65536 alice:166236:65536 This is a request for comments both here and in issue#72337 so please let me know what you think. Thank you for your help, giacomo [0]: https://issues.guix.gnu.org/72337 --------------vAI1kxvnaBTPc1LVla5USbPD Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hello guixers,

I just sent a couple of patches [0] adding a full Scheme implementation of the bits of Shadow that read and write /etc/subuid and /etc/subgid, and some logic to handle generic requests from users that don't care about specific ranges but just want to have some subids .

The result is a simple Guix System service that allows users to setup these files on they're system. I hope this can be sound foundation for the rootless-podman-service-type that I plan to implement .

I'm pasting here an excerpt of the documentation.

The (gnu system shadow) module exposes the subids-service-type, its configuration record subids-configuration and its extension record subids-extension.

With subids-service-type, subuids and subgids ranges can be reserved for users that desire so:

(use-modules (gnu system shadow)      ;for 'subids-service-type'
             (gnu system accounts))   ;for 'subid-range'
(operating-system
  (services
    (list
      (simple-service 'alice-bob-subids
                      subids-service-type
                      (subids-extension
                        (subgids
                         (list
                          (subid-range (name "alice"))))
                        (subuids
                         (list
                          (subid-range (name "alice"))
                          (subid-range (name "bob")
                                       (start 100700)))))))))

Users (definitely other services), usually, are supposed to extend the service instead of adding subids directly to subids-configuration, unless they want to change the default behavior for root.  With default settings the subids-service-type adds, if it's not already there, a configuration for the root account to both /etc/subuid and /etc/subgid, possibly starting at the minimum possible subid.  Otherwise the root subuids and subgids ranges are fitted wherever possible.

The above configuration will yield the following:

# cat /etc/subgid
root:100000:65536
alice:165536:65536


# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536


This is a request for comments both here and in issue#72337 so please let me know what you think.

Thank you for your help,

giacomo

[0]: https://issues.guix.gnu.org/72337

--------------vAI1kxvnaBTPc1LVla5USbPD--