Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade "shadow" to 4.2.1 #3100

Merged
merged 2 commits into from
Aug 28, 2014
Merged

Upgrade "shadow" to 4.2.1 #3100

merged 2 commits into from
Aug 28, 2014

Conversation

tailhook
Copy link
Contributor

This includes:

  • Adding "newuidmap" and "newgidmap" setuid binaries
  • Add nix code to manage /etc/subuid and /etc/subgid mappings in user-groups module

Those commands and files are useful for user namespaces (for example for running linux containers by non-root users)

Note: the module overwrites both /etc/subuid and /etc/subgid on rebuild. Hopefully imperative manipulation of the files is not needed because of:

  1. Files were not supported in previous versions of nixos so unlikely anybody have them
  2. There are no (established) tools to manipulate files in imperative way

The "shadow" 4.2.1 is used in archlinux since 2014-05-10. And ubuntu seems to use some patched version of 4.1.x that includes "newuidmap" and "newgidmap" commands.

@tailhook
Copy link
Contributor Author

Ah, sorry this doesn't work because newuidmap opens file with O_NOFOLLOW so symlink for /etc/static doesn't work, should write file directly to /etc/subuid. Will fix it shortly.

@tailhook
Copy link
Contributor Author

Ok, now subuid and subgid files work. Sorry for the noise ;)

edolstra
edolstra reviewed Jul 30, 2014
View reviewed changes
nixos/modules/config/users-groups.nix
@@ -504,6 +582,14 @@ in {
# for backwards compatibility
system.activationScripts.groups = stringAfter [ "users" ] "";

# We must put actual files in /etc/subuid and /etc/subgid
# because newuidmap and newgidmap opens files with O_NOFOLLOW
# as a security measure
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use environment.etc to copy files, if you set the mode option. See e.g. the sudo.nix module.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Fixed. Also rebased to the latest master.

7c6f434c added a commit that referenced this pull request Aug 28, 2014
@7c6f434c
Merge pull request #3100 from tailhook/new-shadow
1fd14fa 
Upgrade "shadow" to 4.2.1
@7c6f434c 7c6f434c merged commit 1fd14fa into NixOS:master Aug 28, 2014
@pikajude pikajude mentioned this pull request Aug 29, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tailhook @edolstra @7c6f434c