From: Giacomo Leidi via Guix-patches via <guix-patches@gnu.org>
To: 72337@debbugs.gnu.org
Cc: Giacomo Leidi <goodoldpaul@autistici.org>
Subject: [bug#72337] [PATCH v3 1/3] accounts: Add /etc/subuid and /etc/subgid support.
Date: Wed, 21 Aug 2024 00:14:55 +0200 [thread overview]
Message-ID: <ea47c9ba31ab1700d10c518d8be25238586dec33.1724192097.git.goodoldpaul@autistici.org> (raw)
In-Reply-To: <f07af6e8-8c73-9193-5f08-29f8ed1720fb@autistici.org>
This commit adds a new record type, <subid-entry> and serializers
and deserializers for it in (gnu build accounts). Each instance of this
record represents one line in either /etc/subuid or /etc/subgid. Since
Shadow uses the same representation for both files, it should be ok if
we do it as well.
This commit adds also <subid-range>, a user facing representation of
<subid-entry>. It is supposed to be usable directly in OS configurations.
* gnu/build/accounts.scm (subid-entry): New record;
(write-subgid): add serializer for subgids;
(write-subuid): add serializer for subuids;
(read-subgid): add serializer for subgids;
(read-subuid): add serializer for subuids.
* gnu/system/accounts.scm (subid-range): New record.
* test/accounts.scm: Test them.
Change-Id: I6b037e40e354c069bf556412bb5b626bd3ea1b2c
---
gnu/build/accounts.scm | 37 ++++++++++++++++++++++++---
gnu/system/accounts.scm | 17 +++++++++++++
tests/accounts.scm | 55 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 106 insertions(+), 3 deletions(-)
diff --git a/gnu/build/accounts.scm b/gnu/build/accounts.scm
index fa6f454b5e..ea8c69f205 100644
--- a/gnu/build/accounts.scm
+++ b/gnu/build/accounts.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2021, 2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2024 Giacomo Leidi <goodoldpaul@autistici.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -51,13 +52,23 @@ (define-module (gnu build accounts)
group-entry-gid
group-entry-members
+ subid-entry
+ subid-entry?
+ subid-entry-name
+ subid-entry-start
+ subid-entry-count
+
%password-lock-file
write-group
write-passwd
write-shadow
+ write-subgid
+ write-subuid
read-group
read-passwd
read-shadow
+ read-subgid
+ read-subuid
%id-min
%id-max
@@ -68,11 +79,12 @@ (define-module (gnu build accounts)
;;; Commentary:
;;;
-;;; This modules provides functionality equivalent to the C library's
+;;; This module provides functionality equivalent to the C library's
;;; <shadow.h>, <pwd.h>, and <grp.h> routines, as well as a subset of the
;;; functionality of the Shadow command-line tools. It can parse and write
-;;; /etc/passwd, /etc/shadow, and /etc/group. It can also take care of UID
-;;; and GID allocation in a way similar to what 'useradd' does.
+;;; /etc/passwd, /etc/shadow, /etc/group, /etc/subuid and /etc/subgid. It can
+;;; also take care of UID and GID allocation in a way similar to what 'useradd'
+;;; does. The same goes for sub UID and sub GID allocation.
;;;
;;; The benefit is twofold: less code is involved, and the ID allocation
;;; strategy and state preservation is made explicit.
@@ -225,6 +237,17 @@ (define-database-entry <group-entry> ;<grp.h>
(serialization list->comma-separated comma-separated->list)
(default '())))
+(define-database-entry <subid-entry> ;<subid.h>
+ subid-entry make-subid-entry
+ subid-entry?
+ (serialization #\: subid-entry->string string->subid-entry)
+
+ (name subid-entry-name)
+ (start subid-entry-start
+ (serialization number->string string->number))
+ (count subid-entry-count
+ (serialization number->string string->number)))
+
(define %password-lock-file
;; The password database lock file used by libc's 'lckpwdf'. Users should
;; grab this lock with 'with-file-lock' when they access the databases.
@@ -265,6 +288,10 @@ (define write-shadow
(database-writer "/etc/shadow" #o600 shadow-entry->string))
(define write-group
(database-writer "/etc/group" #o644 group-entry->string))
+(define write-subuid
+ (database-writer "/etc/subuid" #o644 subid-entry->string))
+(define write-subgid
+ (database-writer "/etc/subgid" #o644 subid-entry->string))
(define (database-reader file string->entry)
(lambda* (#:optional (file-or-port file))
@@ -287,6 +314,10 @@ (define read-shadow
(database-reader "/etc/shadow" string->shadow-entry))
(define read-group
(database-reader "/etc/group" string->group-entry))
+(define read-subuid
+ (database-reader "/etc/subuid" string->subid-entry))
+(define read-subgid
+ (database-reader "/etc/subgid" string->subid-entry))
\f
;;;
diff --git a/gnu/system/accounts.scm b/gnu/system/accounts.scm
index 586cff1842..9a006c188d 100644
--- a/gnu/system/accounts.scm
+++ b/gnu/system/accounts.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2024 Giacomo Leidi <goodoldpaul@autistici.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -39,6 +40,12 @@ (define-module (gnu system accounts)
user-group-id
user-group-system?
+ subid-range
+ subid-range?
+ subid-range-name
+ subid-range-start
+ subid-range-count
+
sexp->user-account
sexp->user-group
@@ -85,6 +92,16 @@ (define-record-type* <user-group>
(system? user-group-system? ; Boolean
(default #f)))
+(define-record-type* <subid-range>
+ subid-range make-subid-range
+ subid-range?
+ (name subid-range-name)
+ (start subid-range-start (default #f)) ; number
+ (count subid-range-count ; number
+ ; from find_new_sub_gids.c and
+ ; find_new_sub_uids.c
+ (default 65536)))
+
(define (default-home-directory account)
"Return the default home directory for ACCOUNT."
(string-append "/home/" (user-account-name account)))
diff --git a/tests/accounts.scm b/tests/accounts.scm
index 78136390bb..4944c22f49 100644
--- a/tests/accounts.scm
+++ b/tests/accounts.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2024 Giacomo Leidi <goodoldpaul@autistici.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -41,6 +42,16 @@ (define %shadow-sample
charlie:" (crypt "hey!" "$6$abc") ":17169::::::
nobody:!:0::::::\n"))
+(define %subuid-sample
+ "\
+root:100000:300
+ada:100300:300\n")
+
+(define %subgid-sample
+ "\
+root:100000:600
+ada:100600:300\n")
+
\f
(test-begin "accounts")
@@ -135,6 +146,50 @@ (define %shadow-sample
read-shadow)
port))))
+(test-equal "write-subuid"
+ %subuid-sample
+ (call-with-output-string
+ (lambda (port)
+ (write-subuid (list (subid-entry
+ (name "root")
+ (start 100000)
+ (count 300))
+ (subid-entry
+ (name "ada")
+ (start 100300)
+ (count 300)))
+ port))))
+
+(test-equal "read-subuid + write-subuid"
+ %subuid-sample
+ (call-with-output-string
+ (lambda (port)
+ (write-subuid (call-with-input-string %subuid-sample
+ read-subuid)
+ port))))
+
+(test-equal "write-subgid"
+ %subgid-sample
+ (call-with-output-string
+ (lambda (port)
+ (write-subgid (list (subid-entry
+ (name "root")
+ (start 100000)
+ (count 600))
+ (subid-entry
+ (name "ada")
+ (start 100600)
+ (count 300)))
+ port))))
+
+(test-equal "read-subgid + write-subgid"
+ %subgid-sample
+ (call-with-output-string
+ (lambda (port)
+ (write-subgid (call-with-input-string %subgid-sample
+ read-subgid)
+ port))))
+
\f
(define allocate-groups (@@ (gnu build accounts) allocate-groups))
(define allocate-passwd (@@ (gnu build accounts) allocate-passwd))
base-commit: 00245fdcd4909d7e6b20fe88f5d089717115adc1
--
2.45.2
next prev parent reply other threads:[~2024-08-20 22:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 15:25 [bug#72337] Add /etc/subuid and /etc/subgid support paul via Guix-patches via
2024-07-28 15:29 ` [bug#72337] [PATCH 1/3] accounts: " Giacomo Leidi via Guix-patches via
2024-07-28 15:29 ` [bug#72337] [PATCH 2/3] account: Add /etc/subid and /etc/subgid allocation logic Giacomo Leidi via Guix-patches via
2024-07-28 15:29 ` [bug#72337] [PATCH 3/3] system: Add /etc/subuid and /etc/subgid support Giacomo Leidi via Guix-patches via
2024-08-19 21:32 ` [bug#72337] " paul via Guix-patches via
2024-08-20 22:12 ` paul via Guix-patches via
2024-08-19 22:08 ` [bug#72337] [PATCH v2 1/3] accounts: " Giacomo Leidi via Guix-patches via
2024-08-19 22:08 ` [bug#72337] [PATCH v2 2/3] account: Add /etc/subid and /etc/subgid allocation logic Giacomo Leidi via Guix-patches via
2024-08-19 22:08 ` [bug#72337] [PATCH v2 3/3] system: Add /etc/subuid and /etc/subgid support Giacomo Leidi via Guix-patches via
2024-08-20 22:14 ` Giacomo Leidi via Guix-patches via [this message]
2024-08-20 22:14 ` [bug#72337] [PATCH v3 2/3] account: Add /etc/subid and /etc/subgid allocation logic Giacomo Leidi via Guix-patches via
2024-09-04 21:00 ` [bug#72337] Add /etc/subuid and /etc/subgid support Ludovic Courtès
2024-08-20 22:14 ` [bug#72337] [PATCH v3 3/3] system: " Giacomo Leidi via Guix-patches via
2024-09-04 21:20 ` [bug#72337] " Ludovic Courtès
2024-09-07 20:44 ` paul via Guix-patches via
2024-09-04 20:34 ` Ludovic Courtès
2024-09-07 20:51 ` [bug#72337] [PATCH v4 1/3] accounts: " Giacomo Leidi via Guix-patches via
2024-09-07 20:51 ` [bug#72337] [PATCH v4 2/3] account: Add /etc/subid and /etc/subgid allocation logic Giacomo Leidi via Guix-patches via
2024-09-19 11:14 ` [bug#72337] Add /etc/subuid and /etc/subgid support Ludovic Courtès
2024-10-07 22:35 ` paul via Guix-patches via
2024-09-07 20:51 ` [bug#72337] [PATCH v4 3/3] system: " Giacomo Leidi via Guix-patches via
2024-10-07 22:40 ` [bug#72337] [PATCH v5 1/3] accounts: " Giacomo Leidi via Guix-patches via
2024-10-07 22:40 ` [bug#72337] [PATCH v5 2/3] account: Add /etc/subid and /etc/subgid allocation logic Giacomo Leidi via Guix-patches via
2024-10-07 22:40 ` [bug#72337] [PATCH v5 3/3] system: Add /etc/subuid and /etc/subgid support Giacomo Leidi via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea47c9ba31ab1700d10c518d8be25238586dec33.1724192097.git.goodoldpaul@autistici.org \
--to=guix-patches@gnu.org \
--cc=72337@debbugs.gnu.org \
--cc=goodoldpaul@autistici.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).