1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2013 Eric W. Biederman
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='newuidmap.1'>
<refmeta>
<refentrytitle>newuidmap</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class="sectdesc">User Commands</refmiscinfo>
<refmiscinfo class="source">shadow-utils</refmiscinfo>
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>newuidmap</refname>
<refpurpose>set the uid mapping of a user namespace</refpurpose>
</refnamediv>
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>newuidmap</command>
<arg choice='plain'>
<replaceable>pid</replaceable>
</arg>
<arg choice='plain'>
<replaceable>uid</replaceable>
</arg>
<arg choice='plain'>
<replaceable>loweruid</replaceable>
</arg>
<arg choice='plain'>
<replaceable>count</replaceable>
</arg>
<arg choice='opt'>
<arg choice='plain'>
<replaceable>uid</replaceable>
</arg>
<arg choice='plain'>
<replaceable>loweruid</replaceable>
</arg>
<arg choice='plain'>
<replaceable>count</replaceable>
</arg>
<arg choice='opt'>
<replaceable>...</replaceable>
</arg>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
<para>
After the pid argument, <command>newuidmap</command> expects sets of 3 integers:
<variablelist>
<varlistentry>
<term>uid</term>
<listitem>
<para>
Beginning of the range of UIDs inside the user namespace.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loweruid</term>
<listitem>
<para>
Beginning of the range of UIDs outside the user namespace.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>count</term>
<listitem>
<para>
Length of the ranges (both inside and outside the user namespace).
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
<command>newuidmap</command> verifies that the caller is the owner
of the process indicated by <option>pid</option> and that for each
of the above sets, each of the UIDs in the range [loweruid,
loweruid+count] is allowed to the caller according to
<filename>/etc/subuid</filename> before setting
<filename>/proc/[pid]/uid_map</filename>.
</para>
<para>
Note that newuidmap may be used only once for a given process.
</para>
</refsect1>
<refsect1 id='options'>
<title>OPTIONS</title>
<para>
There currently are no options to the <command>newuidmap</command> command.
</para>
<variablelist remap='IP'>
</variablelist>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/subuid</filename></term>
<listitem>
<para>List of user's subordinate user IDs.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/proc/[pid]/uid_map</filename></term>
<listitem>
<para>Mapping of uids from one between user namespaces.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>newusers</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>
|