d5b15f8633
Clarify that the subid delegation can only come from one source. Moreover, add an example of what might happen if the subid source is NSS and useradd is executed. Related: https://github.com/shadow-maint/shadow/issues/331
198 lines
6.4 KiB
XML
198 lines
6.4 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Copyright (c) 2013 Eric W. Biederman
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions
|
|
are met:
|
|
1. Redistributions of source code must retain the above copyright
|
|
notice, this list of conditions and the following disclaimer.
|
|
2. Redistributions in binary form must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer in the
|
|
documentation and/or other materials provided with the distribution.
|
|
3. The name of the copyright holders or contributors may not be used to
|
|
endorse or promote products derived from this software without
|
|
specific prior written permission.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!-- SHADOW-CONFIG-HERE -->
|
|
]>
|
|
|
|
<refentry id='newgidmap.1'>
|
|
<refentryinfo>
|
|
<author>
|
|
<firstname>Eric</firstname>
|
|
<surname>Biederman</surname>
|
|
<contrib>Creation, 2013</contrib>
|
|
</author>
|
|
</refentryinfo>
|
|
<refmeta>
|
|
<refentrytitle>newgidmap</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="sectdesc">User Commands</refmiscinfo>
|
|
<refmiscinfo class="source">shadow-utils</refmiscinfo>
|
|
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>newgidmap</refname>
|
|
<refpurpose>set the gid mapping of a user namespace</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv id='synopsis'>
|
|
<cmdsynopsis>
|
|
<command>newgidmap</command>
|
|
<arg choice='plain'>
|
|
<replaceable>pid</replaceable>
|
|
</arg>
|
|
<arg choice='plain'>
|
|
<replaceable>gid</replaceable>
|
|
</arg>
|
|
<arg choice='plain'>
|
|
<replaceable>lowergid</replaceable>
|
|
</arg>
|
|
<arg choice='plain'>
|
|
<replaceable>count</replaceable>
|
|
</arg>
|
|
<arg choice='opt'>
|
|
<arg choice='plain'>
|
|
<replaceable>gid</replaceable>
|
|
</arg>
|
|
<arg choice='plain'>
|
|
<replaceable>lowergid</replaceable>
|
|
</arg>
|
|
<arg choice='plain'>
|
|
<replaceable>count</replaceable>
|
|
</arg>
|
|
<arg choice='opt'>
|
|
<replaceable>...</replaceable>
|
|
</arg>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
|
|
command line arguments and the gids allowed. The subid delegation can come either from files
|
|
(<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
|
|
can be chosen at a time. So, for example, if the subid source is configured as NSS and
|
|
<command>groupadd</command> is executed, then the command will fail and the entry will not be
|
|
created in <filename>/etc/subgid</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
Note that the root group is not exempted from the requirement for a valid
|
|
<filename>/etc/subgid</filename> entry.
|
|
</para>
|
|
|
|
<para>
|
|
After the pid argument, <command>newgidmap</command> expects sets of 3 integers:
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>gid</term>
|
|
<listitem>
|
|
<para>
|
|
Beginning of the range of GIDs inside the user namespace.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>lowergid</term>
|
|
<listitem>
|
|
<para>
|
|
Beginning of the range of GIDs outside the user namespace.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>count</term>
|
|
<listitem>
|
|
<para>
|
|
Length of the ranges (both inside and outside the user namespace).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
|
|
<para>
|
|
<command>newgidmap</command> verifies that the caller is the owner
|
|
of the process indicated by <option>pid</option> and that for each
|
|
of the above sets, each of the GIDs in the range [lowergid,
|
|
lowergid+count) is allowed to the caller according to
|
|
<filename>/etc/subgid</filename> before setting
|
|
<filename>/proc/[pid]/gid_map</filename>.
|
|
</para>
|
|
<para>
|
|
Note that newgidmap may be used only once for a given process.
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1 id='options'>
|
|
<title>OPTIONS</title>
|
|
<para>
|
|
There currently are no options to the <command>newgidmap</command> command.
|
|
</para>
|
|
<variablelist remap='IP'>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='files'>
|
|
<title>FILES</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><filename>/etc/subgid</filename></term>
|
|
<listitem>
|
|
<para>List of user's subordinate group IDs.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><filename>/proc/[pid]/gid_map</filename></term>
|
|
<listitem>
|
|
<para>Mapping of gids from one between user namespaces.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para>
|
|
<citerefentry>
|
|
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>newusers</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>.
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|