From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id sCrdGk3P2GbNVQAAe85BDQ:P1 (envelope-from ) for ; Wed, 04 Sep 2024 21:21:17 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id sCrdGk3P2GbNVQAAe85BDQ (envelope-from ) for ; Wed, 04 Sep 2024 23:21:17 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=T2psnW1W; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=diMmpdmJ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1725484877; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xFW/WOzaXjdwOOqCkbvH+WnOVs5jt5TQKFEINHF0/OU=; b=ZEOZ5L4DpP7SM3YEbrwbooMMmYTPuQgLs6WrxD+qhWxHmR/ba9wwbM0h/UcMrTPJz3Z+Lb tH7e2P9IvaaokTVzsbTG3rmEGvnOjRZMj4kEg7WinkxzlnkZL8WiVeNOUDpoD9w8vvup5b mO9+37TZgkne0iXIwYHNTHxyqlLhwbXsv1mzJwJlKSGmF2z6miK0T4/0V9Hnq1gJIADVu9 Q6ygfAmyObJtsUYuFDVDOZRa7a8LRoDgk3t8oHOcQ8yfPbc1QZLCn5pjusBz0pZ4o4+jNm LreHWI83qFaoDxCwpFOcE9Dbta9oRd14dJUOiZRPFzQK38M9VXMm1RYa8pHkzw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1725484877; a=rsa-sha256; cv=none; b=biBQb07UyhMh28gd3NFd5s6sUi6iWaicTt4swoFwmJqyN4lg1Ax5DypVfmBWv2xkavMJtt NQpEHRJ5qGmd5WW1oPJGHyi35R+DQuoaT8qJSuxyqzFL7UWx9072ZZy3h19UIftXRe47r2 IxtbGQkU0II59X9NdDExD1d/i31FmK6P1jgZQMOPasuz836yIlXXxU0x/PqiIw+eBDuNou VFLHmX614pTzWwIpuq960ETNQ0nN+Tnx1arPmTHKiG8xrt45gLKTb33Xwjr592PCja/kSQ PHO4ul/Pwbmcq1fTJZIb9C6CJY+bz6Me2f+6JQ1gCGSpW+95rcKpBF89qgumvA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=T2psnW1W; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=diMmpdmJ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3F0993A34A for ; Wed, 04 Sep 2024 23:21:16 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1slxQy-0004el-26; Wed, 04 Sep 2024 17:21:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1slxQw-0004WN-0j for guix-patches@gnu.org; Wed, 04 Sep 2024 17:20:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1slxQv-0006wD-Ny for guix-patches@gnu.org; Wed, 04 Sep 2024 17:20:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=xFW/WOzaXjdwOOqCkbvH+WnOVs5jt5TQKFEINHF0/OU=; b=T2psnW1WFXeLA0TbltW8Op3nr77Z3GoqtD2eOHs/rOEUaBNk+zgVvTEJseWSJcIxFf34mZoLxez3EDRl67hxWPPLKpllS9a7uGOg0reAU+2MK2l1BXezfoaqBZIe24st4n7Jbirnt161iahhB27KiXLXl1EXz+1QrIeoDmHG3MocjgidrQVZbppu5qDA0cYd02O873KAlwz+yGIsjpzImaijJ7mFS+1hNhQV08unOqD6MWtAhGKh6VGz69tOTu84zvrTruTrF/KvuSNmSsKbCRSPzNcKZle4LO8G3s0OFU5ZKasw5ZTkKAEeZZ/ppB8cEyoL1lbz3C0OnmO6x7xyMw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1slxRx-0008BB-MN for guix-patches@gnu.org; Wed, 04 Sep 2024 17:22:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#72337] Add /etc/subuid and /etc/subgid support Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 04 Sep 2024 21:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72337 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Giacomo Leidi Cc: 72337@debbugs.gnu.org, Maxim Cournoyer , Florian Pelz , Matthew Trzcinski Received: via spool by 72337-submit@debbugs.gnu.org id=B72337.172548490531409 (code B ref 72337); Wed, 04 Sep 2024 21:22:01 +0000 Received: (at 72337) by debbugs.gnu.org; 4 Sep 2024 21:21:45 +0000 Received: from localhost ([127.0.0.1]:35563 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1slxRg-0008AW-JO for submit@debbugs.gnu.org; Wed, 04 Sep 2024 17:21:44 -0400 Received: from eggs.gnu.org ([209.51.188.92]:32860) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1slxRe-0008AD-Ec for 72337@debbugs.gnu.org; Wed, 04 Sep 2024 17:21:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1slxQU-0006uz-E2; Wed, 04 Sep 2024 17:20:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=xFW/WOzaXjdwOOqCkbvH+WnOVs5jt5TQKFEINHF0/OU=; b=diMmpdmJ2fGetTtyqLWM xbvhUIY0asZGluKFG6RXyivIRxnt2aDjde73tgnNIZ5Xdg5j4odc5VQWvRbsDjW8wmhAAPW8D04sS Gn60c0ciCqC7OXPOALP8x9evVX6zAE9q5VaeAGqtRDi7b0Ul4fVWdlRFct/FH+p3DPjBtMaTpSSRA L8+RhlLLodvrgVmDnZ3WPeV6d3yXsJ7PYw/oKNuvAJn+1YP4GopgBa2UiE0zZjU/PSzRngRdQqoXo 3fBca3coUksy579aTUVPJfPTpz8oXQLh3PQpSJWRNcHxPxLPCooVTokM6a0ccK03AaF4i+a293ach 5f7Pnswk8Thb0g==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <8b0b9421e1347e0f0d6ce88c8eb66a5b6296cc0c.1724192097.git.goodoldpaul@autistici.org> (Giacomo Leidi's message of "Wed, 21 Aug 2024 00:14:57 +0200") References: <8b0b9421e1347e0f0d6ce88c8eb66a5b6296cc0c.1724192097.git.goodoldpaul@autistici.org> Date: Wed, 04 Sep 2024 23:20:06 +0200 Message-ID: <87zfon9kvt.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.58 X-Spam-Score: -4.58 X-Migadu-Queue-Id: 3F0993A34A X-Migadu-Scanner: mx11.migadu.com X-TUID: fUnmuj0ZeoIg Giacomo Leidi skribis: > This commit adds a Guix System service to handle allocation of subuid > and subgid requests. Users that don't care can just add themselves as a > subid-range and don't need to specify anything but their user name. > Users that care about specific ranges, such as possibly LXD, can specify > a start and a count. > > * doc/guix.texi: Document the new service. > * gnu/build/activation.scm (activate-subuids+subgids): New variable. > * gnu/local.mk: Add gnu/tests/shadow.scm. > * gnu/system/accounts.scm (sexp->subid-range): New variable. > * gnu/system/shadow.scm (%root-subid): New variable; > (subids-configuration): new record; > (subid-range->gexp): new variable; > (assert-valid-subids): new variable; > (delete-duplicate-ranges): new variable; > (subids-activation): new variable; > (subids-extension): new record; > (append-subid-ranges): new variable; > (subids-extension-merge): new variable; > (subids-service-type): new variable. > * gnu/tests/shadow.scm (subids): New system test. > > Change-Id: I3755e1c75771220c74fe8ae5de1a7d90f2376635 Nice. > +The @code{(gnu system shadow)} module exposes the > +@code{subids-service-type}, its configuration record > +@code{subids-configuration} and its extension record > +@code{subids-extension}. I think this section should start by defining briefly what a =E2=80=9Csubordinate ID=E2=80=9D is, with a cross-reference to a primary so= urce for that (unfortunately glibc=E2=80=99s manual has nothing about it, so that=E2=80= =99d be Linux man pages I guess), and by giving an idea of what it=E2=80=99s used for. It should use =E2=80=9Csubuid=E2=80=9D and =E2=80=9Csubgid=E2=80=9D only af= ter it has introduced them as abbreviations of =E2=80=9Csubordinate UID=E2=80=9D. > +for the root account to both @code{/etc/subuid} and @code{/etc/subgid}, = possibly s/@code/@file/ > +(define %sub-id-min > + (@@ (gnu build accounts) %sub-id-min)) > +(define %sub-id-max > + (@@ (gnu build accounts) %sub-id-max)) > +(define %sub-id-count > + (@@ (gnu build accounts) %sub-id-count)) Use single =E2=80=98@=E2=80=99 or, better yet, #:use-module the thing. > +(define (assert-valid-subids ranges) > + (cond ((>=3D (fold + 0 (map subid-range-count ranges)) > + (- %sub-id-max %sub-id-min -1)) > + (raise > + (string-append > + "The configured ranges are more than the " > + (number->string > + (- %sub-id-max %sub-id-min -1)) " max allowed."))) Same comment as before regarding =E2=80=98raise=E2=80=99. In this case, you could do: (raise (formatted-message (G_ =E2=80=A6) =E2=80= =A6)). This is done elsewhere in the code. > + (define slurp > + (lambda args > + (let* ((port (apply open-pipe* OPEN_READ args)) > + (output (read-lines port)) > + (status (close-pipe port))) > + output))) > + (let* ((response1 (slurp > + ,(string-append #$coreutils "/bin/cat= ") > + "/etc/subgid")) > + (response2 (slurp > + ,(string-append #$coreutils "/bin/cat= ") > + "/etc/subuid"))) > + (list (string-join response1 "\n") (string-join respon= se2 "\n")))) Instead of running =E2=80=98cat=E2=80=99, I would suggest using: (call-with-input-file "/etc/subuid" get-string-all) or similar; it=E2=80=99s much simpler. Also, it would be nice if the test could actually exercise subordinate IDs, with =E2=80=98newuidmap=E2=80=99 or some such. Is that within reach? Thanks, Ludo=E2=80=99.