From 68ebbf936038e4e4c8b5105bd3246ef9709b6354 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 7 Jun 2021 11:50:56 +0200
Subject: [PATCH 1/2] man: clarify subid delegation behaviour

Following the discussion https://github.com/shadow-maint/shadow/pull/345
I have changed the documentation to clarify the behaviour of subid
delegation when any subid source except files is configured.
---
 man/newgidmap.1.xml | 11 +++++------
 man/newuidmap.1.xml | 11 +++++------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 7aaf34bf..681aefcb 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -87,12 +87,11 @@
   <refsect1 id='description'>
     <title>DESCRIPTION</title>
     <para>
-      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
-      command line arguments and the gids allowed. The subid delegation can come either from files
-      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
-      <command>groupadd</command> is executed, then the command will fail and the entry will not be
-      created in <filename>/etc/subgid</filename>.
+      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
+      based on its command line arguments and the gids allowed. Subgid
+      delegation can either be managed via <filename>/etc/subgid</filename>
+      or through the configured NSS subid module. These options are mutually
+      exclusive.
     </para>
 
     <para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index 4bc1ef7a..09e65d80 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -87,12 +87,11 @@
   <refsect1 id='description'>
     <title>DESCRIPTION</title>
     <para>
-      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
-      command line arguments and the uids allowed. The subid delegation can come either from files
-      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
-      <command>useradd</command> is executed, then the command will fail and the entry will not be
-      created in <filename>/etc/subuid</filename>.
+      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
+      based on its command line arguments and the uids allowed. Subuid
+      delegation can either be managed via <filename>/etc/subuid</filename> or
+      through the configured NSS subid module. These options are mutually
+      exclusive.
     </para>
 
     <para>

From 0faec51bf0ec24e6e3d098cc55ed42584dd24efe Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 11 Jun 2021 15:25:42 +0200
Subject: [PATCH 2/2] man: definition and configuration of subid

Define the subid functionality and explain the way to configure its
delegation.
---
 man/subgid.5.xml | 32 +++++++++++++++++++++++++++++++-
 man/subuid.5.xml | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index 70c561c4..02f421ab 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -38,6 +38,11 @@
       <surname>Biederman</surname>
       <contrib>Creation, 2013</contrib>
     </author>
+    <author>
+      <firstname>Iker</firstname>
+      <surname>Pedrosa</surname>
+      <contrib>Developer, 2021</contrib>
+    </author>
   </refentryinfo>
   <refmeta>
     <refentrytitle>subgid</refentrytitle>
@@ -48,11 +53,36 @@
   </refmeta>
   <refnamediv id='name'>
     <refname>subgid</refname>
-    <refpurpose>the subordinate gid file</refpurpose>
+    <refpurpose>the configuration for subordinate group ids</refpurpose>
   </refnamediv>
 
   <refsect1 id='description'>
     <title>DESCRIPTION</title>
+    <para>
+      Subgid authorizes a group id to map ranges of group ids from its namespace
+      into child namespaces.
+    </para>
+    <para>
+      The delegation of the subordinate gids can be configured via the
+      <replaceable>subid</replaceable> field in
+      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+      as the delegation source. Setting this field to
+      <replaceable>files</replaceable> configures the delegation of gids to
+      <filename>/etc/subgid</filename>. Setting any other value treats
+      the delegation as a plugin following with a name of the form
+      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+      missing, then the subordinate gid delegation falls back to
+      <replaceable>files</replaceable>.
+    </para>
+    <para>
+      Note, that <command>groupadd</command> will only create entries in
+      <filename>/etc/subgid</filename> if subid delegation is managed via subid
+      files.
+    </para>
+  </refsect1>
+
+  <refsect1 id='local-subordinate-delegation'>
+    <title>LOCAL SUBORDINATE DELEGATION</title>
     <para>
       Each line in <filename>/etc/subgid</filename> contains
       a user name and a range of subordinate group ids that user
diff --git a/man/subuid.5.xml b/man/subuid.5.xml
index ec6a85f5..990d162e 100644
--- a/man/subuid.5.xml
+++ b/man/subuid.5.xml
@@ -38,6 +38,11 @@
       <surname>Biederman</surname>
       <contrib>Creation, 2013</contrib>
     </author>
+    <author>
+      <firstname>Iker</firstname>
+      <surname>Pedrosa</surname>
+      <contrib>Developer, 2021</contrib>
+    </author>
   </refentryinfo>
   <refmeta>
     <refentrytitle>subuid</refentrytitle>
@@ -48,11 +53,36 @@
   </refmeta>
   <refnamediv id='name'>
     <refname>subuid</refname>
-    <refpurpose>the subordinate uid file</refpurpose>
+    <refpurpose>the configuration for subordinate user ids</refpurpose>
   </refnamediv>
 
   <refsect1 id='description'>
     <title>DESCRIPTION</title>
+    <para>
+      Subuid authorizes a user id to map ranges of user ids from its namespace
+      into child namespaces.
+    </para>
+    <para>
+      The delegation of the subordinate uids can be configured via the
+      <replaceable>subid</replaceable> field in
+      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+      as the delegation source. Setting this field to
+      <replaceable>files</replaceable> configures the delegation of uids to
+      <filename>/etc/subuid</filename>. Setting any other value treats
+      the delegation as a plugin following with a name of the form
+      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+      missing, then the subordinate uid delegation falls back to
+      <replaceable>files</replaceable>.
+    </para>
+    <para>
+      Note, that <command>useradd</command> will only create entries in
+      <filename>/etc/subuid</filename> if subid delegation is managed via subid
+      files.
+    </para>
+  </refsect1>
+
+  <refsect1 id='local-subordinate-delegation'>
+    <title>LOCAL SUBORDINATE DELEGATION</title>
     <para>
       Each line in <filename>/etc/subuid</filename> contains
       a user name and a range of subordinate user ids that user