summaryrefslogtreecommitdiffstats
path: root/man/man1/newuidmap.1
blob: 71b7226cb3cf1823b8e851318ec1cad921f39bf1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
'\" t
.\"     Title: newuidmap
.\"    Author: Eric Biederman
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 06/21/2024
.\"    Manual: User Commands
.\"    Source: shadow-utils 4.15.2
.\"  Language: English
.\"
.TH "NEWUIDMAP" "1" "06/21/2024" "shadow\-utils 4\&.15\&.2" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
newuidmap \- set the uid mapping of a user namespace
.SH "SYNOPSIS"
.HP \w'\fBnewuidmap\fR\ 'u
\fBnewuidmap\fR \fIpid\fR \fIuid\fR \fIloweruid\fR \fIcount\fR [\fIuid\fR\ \fIloweruid\fR\ \fIcount\fR\ [\ \fI\&.\&.\&.\fR\ ]]
.SH "DESCRIPTION"
.PP
The
\fBnewuidmap\fR
sets
/proc/[pid]/uid_map
based on its command line arguments and the uids allowed\&. Subuid delegation can either be managed via
/etc/subuid
or through the configured NSS subid module\&. These options are mutually exclusive\&.
.PP
Note that the root user is not exempted from the requirement for a valid
/etc/subuid
entry\&.
.PP
After the pid argument,
\fBnewuidmap\fR
expects sets of 3 integers:
.PP
uid
.RS 4
Beginning of the range of UIDs inside the user namespace\&.
.RE
.PP
loweruid
.RS 4
Beginning of the range of UIDs outside the user namespace\&.
.RE
.PP
count
.RS 4
Length of the ranges (both inside and outside the user namespace)\&.
.RE
.PP
\fBnewuidmap\fR
verifies that the caller is the owner of the process indicated by
\fBpid\fR
and that for each of the above sets, each of the UIDs in the range [loweruid, loweruid+count) is allowed to the caller according to
/etc/subuid
before setting
/proc/[pid]/uid_map\&.
.PP
Note that newuidmap may be used only once for a given process\&.
.PP
Instead of an integer process id, the first argument may be specified as
\fIfd:N\fR, where the integer N is the file descriptor number for the calling process\*(Aqs opened file descriptor for the directory
/proc/[pid]\&. In this case,
\fBnewuidmap\fR
will use
openat(2)
to open the
uid_map
file under that directory, avoiding a TOCTTOU in case the process exits and the pid is immediately reused\&.
.SH "OPTIONS"
.PP
There currently are no options to the
\fBnewuidmap\fR
command\&.
.SH "FILES"
.PP
/etc/subuid
.RS 4
List of user\*(Aqs subordinate user IDs\&.
.RE
.PP
/proc/[pid]/uid_map
.RS 4
Mapping of uids from one between user namespaces\&.
.RE
.SH "SEE ALSO"
.PP
\fBlogin.defs\fR(5),
\fBnewusers\fR(8),
\fBsubuid\fR(5),
\fBuseradd\fR(8),
\fBusermod\fR(8),
\fBuserdel\fR(8)\&.