From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 2LtNKLbsYmcokwAAe85BDQ:P1 (envelope-from ) for ; Wed, 18 Dec 2024 15:39:34 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 2LtNKLbsYmcokwAAe85BDQ (envelope-from ) for ; Wed, 18 Dec 2024 16:39:34 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=EEfltkgZ; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=kSF5Av3u; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734536374; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-to:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=W45TmLRJVLgo6wVnJexoI3pDimYZWKt2pQRaH0AKhUs=; b=XkibgTkC8tBJmiLukfNrAkvR0ouc5QmGoK5y1GxDRcMfZVCUrZjAI2EJqAUt53L3h/LZJ1 3LFHm3/TsfvamrSV0Kj1uwqaRHNCMcdG0eYIJG9o/tf8Xsg6u1jm3Hjtu3+Mk57pyBOcfU 3Sj+ky6RqeUm3AoMXWCZtfwkLfo9A3WIcKO0DLxnWyTmUtf1n8qcd8/jJPA+H8hoojPWix DNs3KIQqP/60TuQpVHDtCXb7+ebALWB58/7AQBt+rrLntdoLeCvVjUMwrTJsoq7o1PCDuU F9JzBIV6DZUej9ubvDoxn8v9DgIwN4+5pvVNwRoDPa/oaxvQpW3R6ScaDrUUaw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=EEfltkgZ; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=kSF5Av3u; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734536374; a=rsa-sha256; cv=none; b=BtVvLo/gi/3yVzZOox983cbzZnlwgZL+klGq+Sk/zPVYwns23pnDEElqVDQ+Ff90OY+fPj MlQxkBoGN6PV7bplqLZpBxpeHMMQf2QwJEf+e0Uh0kQbHo8iYPtA4unjYyyfK7ZW/HZxnj 7IScBwSLOpFwYTA9XPUxuaT4MnKcdzgZsIWPUpm8VEZa8dNcV64AjVCzjc7TnljLXs6wAO 7hIHpbrHrlmbUPnGPg9RFRYJmMacFje2pudftw9G1Jr7od9P9zfM5OLIQUuIDJVb55f6b5 6/7JjQ7yZ6i04Y+3rF5nzMOLOoRFkO/oqMA014uxsRENten9scrY67xdZB8J2g== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B830531258 for ; Wed, 18 Dec 2024 16:39:33 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tNw8g-0003BF-2Y; Wed, 18 Dec 2024 10:39:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNw8c-0003Aw-IE for guix-patches@gnu.org; Wed, 18 Dec 2024 10:39:02 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tNw8c-0001Fi-9o for guix-patches@gnu.org; Wed, 18 Dec 2024 10:39:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=W45TmLRJVLgo6wVnJexoI3pDimYZWKt2pQRaH0AKhUs=; b=EEfltkgZhXo61Lzf+KRhRGs9KwEmvL+SCKikYKhDrYf/LQVZV8pzub/SIEpcGhdr1EB93Y/uobqGh2ie0uTgDkhOhLL9nS50h2ICc9NYcS5U4Dr2Z/Urm4lrnb7EOY5x3YsAGOCbeD7DUSp+qAVBywydyuR56XxHw1ZrmVPnXqlvqgRzwqtH+zv0g5EcXyHGjWySUafIr1+4tzsluPilXKn+k+d8XAPdLFiDHpHd4AYcAhxnV4NjT9ANfeTu8gpXSdKJjAIz1vPnGDKGJ0KdWHJiQzRDN1OvtnpnUmyvhvOFphJlCYnT5XKFlKSChE6Vb4NeNxc8inT4oGQcMC0TZg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tNw8c-0001dw-51 for guix-patches@gnu.org; Wed, 18 Dec 2024 10:39:02 -0500 Subject: bug#72337: Add /etc/subuid and /etc/subgid support Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Wed, 18 Dec 2024 15:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 72337 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Giacomo Leidi Cc: 72337-done@debbugs.gnu.org, Maxim Cournoyer , Florian Pelz Mail-Followup-To: 72337@debbugs.gnu.org, ludo@gnu.org, goodoldpaul@autistici.org Received: via spool by 72337-done@debbugs.gnu.org id=D72337.17345363166267 (code D ref 72337); Wed, 18 Dec 2024 15:39:01 +0000 Received: (at 72337-done) by debbugs.gnu.org; 18 Dec 2024 15:38:36 +0000 Received: from localhost ([127.0.0.1]:35614 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNw8A-0001d0-U1 for submit@debbugs.gnu.org; Wed, 18 Dec 2024 10:38:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNw88-0001cg-2v for 72337-done@debbugs.gnu.org; Wed, 18 Dec 2024 10:38:33 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNw81-0001D5-GF; Wed, 18 Dec 2024 10:38:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=W45TmLRJVLgo6wVnJexoI3pDimYZWKt2pQRaH0AKhUs=; b=kSF5Av3uHBij1u68BUTn e9WvE56xrFLKunwrWQMxvqs1Ut9JT6GfJFvXZmPp75xnQS1RUny5RgsNJNrbSXxumZ641utk7dkGH ghd8SUnA3LkEW4jGy0Z+gzaWJZgzr/lAPZbNby+T+5T8x2k1mUp2QE244S2Lc62QorEGpqxWhoxRa YL+ebEZBfoH+2StHwLpK0ECokL9GlvDCIXh7SMYcJrGzZ0s3G/6GsEzelGvyD2ELSUrMSWHXZgG+5 ppLiHyNCJhNhJrOSZduXhRI3Dl5GOrKBTJc2nc8QoaidpWxKdids4m6qy8GtzFl3R60LmEF/9GgSH YAvxmtY+YMMQIA==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <7be849965238ddc6d30c696a5328b6c278d00565.1728340828.git.goodoldpaul@autistici.org> (Giacomo Leidi's message of "Tue, 8 Oct 2024 00:40:28 +0200") References: <7be849965238ddc6d30c696a5328b6c278d00565.1728340828.git.goodoldpaul@autistici.org> Date: Wed, 18 Dec 2024 16:38:22 +0100 Message-ID: <87v7vhj91t.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -5.31 X-Spam-Score: -5.31 X-Migadu-Queue-Id: B830531258 X-TUID: Ynpr6XMu5p78 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Giacomo Leidi skribis: > This commit adds a Guix System service to handle allocation of subuid > and subgid requests. Users that don't care can just add themselves as a > subid-range and don't need to specify anything but their user name. > Users that care about specific ranges, such as possibly LXD, can specify > a start and a count. > > * doc/guix.texi: Document the new service. > * gnu/build/activation.scm (activate-subuids+subgids): New variable. > * gnu/local.mk: Add gnu/tests/shadow.scm. > * gnu/system/accounts.scm (sexp->subid-range): New variable. > * gnu/system/shadow.scm (%root-subid): New variable; > (subids-configuration): new record; > (subid-range->gexp): new variable; > (assert-valid-subids): new variable; > (delete-duplicate-ranges): new variable; > (subids-activation): new variable; > (subids-extension): new record; > (append-subid-ranges): new variable; > (subids-extension-merge): new variable; > (subids-service-type): new variable. > * gnu/tests/shadow.scm (subids): New system test. > > Change-Id: I3755e1c75771220c74fe8ae5de1a7d90f2376635 > Signed-off-by: Giacomo Leidi Applied as well! I took the liberty to make the changes below to the documentation. I=E2=80=99m sorry that it took me so long. I appreciate your patience and = the time you took to polish this patch series; I like the end result! And I realize it=E2=80=99s quite an important feature that will unlock a few thin= gs. Thumbs up! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/doc/guix.texi b/doc/guix.texi index f49154dc1b..fe84b52052 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18848,6 +18848,13 @@ User Accounts special-case and is automatically added whether or not it is specified. @end defvar +@cindex containers, subordinate IDs +The Linux kernel also implements @dfn{subordinate user and group IDs}, +or ``subids'', which are used to map the ID of a user and group to +several IDs inside separate name spaces---inside ``containers''. +@xref{subordinate-user-group-ids, the subordinate user and group ID +service}, for information on how to configure it. + @node Keyboard Layout @section Keyboard Layout @@ -41524,13 +41531,15 @@ Miscellaneous Services @c %end of fragment -@cindex Subids -@subsubheading Subid Service +@anchor{subordinate-user-group-ids} +@cindex subordinate user and group IDs +@cindex subid, subordinate user and group IDs +@subsubheading Subordinate User and Group ID Service -Among the virtualization facilities implemented by the Linux kernel, the is the -concept of subordinate IDs. Subordinate IDs allow for mapping user and group +Among the virtualization facilities implemented by the Linux kernel is the +concept of @dfn{subordinate IDs}. Subordinate IDs allow for mapping user and group IDs inside process namespaces to user and group IDs of the host system. -Subordinate user ID ranges (subids) allow to map virtual user IDs inside +Subordinate user ID ranges (subuids) allow users to map virtual user IDs inside containers to the user ID of an unprivileged user of the host system. Subordinate group ID ranges (subgids), instead map virtual group IDs to the group ID of an unprivileged user on the host system. You can access --=-=-=--