Overview
Request 396754 superseded
Update to shadow-4.2.1 to add newuidmap/newgidmap support. Currently it is not possible to handle subuid/subgid allocation in a standard
way since Tumbleweed and friends lack a proper shadow version which includes
the newuidmap/newgidmap executables. This commit updates shadow to version
4.2.1 which includes both those tools. Both executables require either the
setuid bit set or file caps but /etc/permissions and /etc/permissions.*
currently do not contain entries for newuidmap/newgidmap. This causes rpmlint
to spew errors and abort the build. This is currently handled by resorting to
the hack of adding package-specific permission files to /etc/permissions.d.
This should not be necessary onces this is handled by placing the appropriate
permissions in /etc/permissions and /etc/permissions.*. As unprivileged users cannot assign any subuids to a user namespace (only their
own current uid) they are not able to easily run user namespaced containers
with tools that rely on the presence of newuidmap/newgidmap. Even with the
files /etc/subuid and /etc/subgid present this is not always possible since
they are not read by the kernel itself. They only serve newuidmap/newgidmap. When a user is assigned subuids/subgids a full range of 65536 subuids/subgids
is handed out. This is the POSIX compliant way and enables users to e.g. run
not just application but also system containers.
- Update to shadow-4.2.1:
- add support for subuids/subgids via newuidmap/newgidmap
- Rename chkname-regex.diff to chkname-regex.patch
- Rename encryption_method_nis.diff to encryption_method_nis.patch
- Rename getdef-new-defs.diff to getdef-new-defs.patch
- Rename shadow-login_defs.diff to shadow-login_defs.patch
- Rename userdel-scripts.diff to userdel-script.patch
- Rename useradd-script.diff to useradd-script.patch
- Rename useradd-default.diff to useradd-default.patch
- Rename useradd-mkdirs.diff to useradd-mkdirs.patch
- Add fixes from Red Hat/Fedora:
- shadow-4.1.5.1-audit-owner.patch.patch:
- log owner changes for home directory
- shadow-4.1.5.1-userdel-helpfix.patch.patch:
- give a hint about what happens when you force the removal of a user
- shadow-4.2.1-defs-chroot.patch.patch:
- initialize uid_t uid_min and uid_t uid_max not before we need them
- shadow-4.2.1-merge-group.patch.patch:
- simplify by using a single call to snprintf()
- Add upstream fix
- Fix-user-busy-errors-at-userdel.patch:
- call sub_uid_close()
Request History
chbrauner created request
Update to shadow-4.2.1 to add newuidmap/newgidmap support. Currently it is not possible to handle subuid/subgid allocation in a standard
way since Tumbleweed and friends lack a proper shadow version which includes
the newuidmap/newgidmap executables. This commit updates shadow to version
4.2.1 which includes both those tools. Both executables require either the
setuid bit set or file caps but /etc/permissions and /etc/permissions.*
currently do not contain entries for newuidmap/newgidmap. This causes rpmlint
to spew errors and abort the build. This is currently handled by resorting to
the hack of adding package-specific permission files to /etc/permissions.d.
This should not be necessary onces this is handled by placing the appropriate
permissions in /etc/permissions and /etc/permissions.*. As unprivileged users cannot assign any subuids to a user namespace (only their
own current uid) they are not able to easily run user namespaced containers
with tools that rely on the presence of newuidmap/newgidmap. Even with the
files /etc/subuid and /etc/subgid present this is not always possible since
they are not read by the kernel itself. They only serve newuidmap/newgidmap. When a user is assigned subuids/subgids a full range of 65536 subuids/subgids
is handed out. This is the POSIX compliant way and enables users to e.g. run
not just application but also system containers.
- Update to shadow-4.2.1:
- add support for subuids/subgids via newuidmap/newgidmap
- Rename chkname-regex.diff to chkname-regex.patch
- Rename encryption_method_nis.diff to encryption_method_nis.patch
- Rename getdef-new-defs.diff to getdef-new-defs.patch
- Rename shadow-login_defs.diff to shadow-login_defs.patch
- Rename userdel-scripts.diff to userdel-script.patch
- Rename useradd-script.diff to useradd-script.patch
- Rename useradd-default.diff to useradd-default.patch
- Rename useradd-mkdirs.diff to useradd-mkdirs.patch
- Add fixes from Red Hat/Fedora:
- shadow-4.1.5.1-audit-owner.patch.patch:
- log owner changes for home directory
- shadow-4.1.5.1-userdel-helpfix.patch.patch:
- give a hint about what happens when you force the removal of a user
- shadow-4.2.1-defs-chroot.patch.patch:
- initialize uid_t uid_min and uid_t uid_max not before we need them
- shadow-4.2.1-merge-group.patch.patch:
- simplify by using a single call to snprintf()
- Add upstream fix
- Fix-user-busy-errors-at-userdel.patch:
- call sub_uid_close()
Supersede with disabling SUID for new programs for now
