horok/shadow
1
0
Fork 0
Code Activity
shadow/man/man5/subgid.5
Daniel Baumann 09a180ea01
Adding upstream version 1:4.17.4. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-22 05:06:56 +02:00

122 lines
3.3 KiB
Groff
Raw Permalink Blame History

'\" t
.\" Title: subgid
.\" Author: Eric Biederman
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 03/19/2025
.\" Manual: File Formats and Configuration Files
.\" Source: shadow-utils 4.17.4
.\" Language: English
.\"
.TH "SUBGID" "5" "03/19/2025" "shadow\-utils 4\&.17\&.4" "File Formats and Configuration"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
subgid \- the configuration for subordinate group ids
.SH "DESCRIPTION"
.PP
Subgid authorizes a group id to map ranges of group ids from its namespace into child namespaces\&.
.PP
The delegation of the subordinate gids can be configured via the
\fIsubid\fR
field in
/etc/nsswitch\&.conf
file\&. Only one value can be set as the delegation source\&. Setting this field to
\fIfiles\fR
configures the delegation of gids to
/etc/subgid\&. Setting any other value treats the delegation as a plugin following with a name of the form
\fIlibsubid_$value\&.so\fR\&. If the value or plugin is missing, then the subordinate gid delegation falls back to
\fIfiles\fR\&.
.PP
Note, that
\fBnewusers\fR,
\fBuseradd\fR, and
\fBusermod\fR
will only create entries in
/etc/subgid
if subid delegation is managed via subid files\&.
.SH "LOCAL SUBORDINATE DELEGATION"
.PP
Each line in
/etc/subgid
contains a user name and a range of subordinate group ids that user is allowed to use\&. This is specified with three fields delimited by colons (\(lq:\(rq)\&. These fields are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
login name or UID
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
numerical subordinate group ID
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
numerical subordinate group ID count
.RE
.PP
This file specifies the group IDs that ordinary users can use, with the
\fBnewgidmap\fR
command, to configure gid mapping in a user namespace\&.
.PP
Multiple ranges may be specified per user\&.
.PP
When large number of entries (10000\-100000 or more) are defined in
/etc/subgid, parsing performance penalty will become noticeable\&. In this case it is recommended to use UIDs instead of login names\&. Benchmarks have shown speed\-ups up to 20x\&.
.SH "FILES"
.PP
/etc/subgid
.RS 4
Per user subordinate group IDs\&.
.RE
.PP
/etc/subgid\-
.RS 4
Backup file for /etc/subgid\&.
.RE
.SH "SEE ALSO"
.PP
\fBlogin.defs\fR(5),
\fBnewgidmap\fR(1),
\fBnewuidmap\fR(1),
\fBnewusers\fR(8),
\fBsubuid\fR(5),
\fBuseradd\fR(8),
\fBuserdel\fR(8),
\fBusermod\fR(8),
\fBuser_namespaces\fR(7)\&.
View git blame Copy permalink