summaryrefslogtreecommitdiffstats
path: root/man/man5/subgid.5
blob: 5471ab7879d0b15571fdb5eb2b7ad4bb917c9d28 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
'\" t
.\"     Title: subgid
.\"    Author: Eric Biederman
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 06/21/2024
.\"    Manual: File Formats and Configuration Files
.\"    Source: shadow-utils 4.15.2
.\"  Language: English
.\"
.TH "SUBGID" "5" "06/21/2024" "shadow\-utils 4\&.15\&.2" "File Formats and Configuration"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
subgid \- the configuration for subordinate group ids
.SH "DESCRIPTION"
.PP
Subgid authorizes a group id to map ranges of group ids from its namespace into child namespaces\&.
.PP
The delegation of the subordinate gids can be configured via the
\fIsubid\fR
field in
/etc/nsswitch\&.conf
file\&. Only one value can be set as the delegation source\&. Setting this field to
\fIfiles\fR
configures the delegation of gids to
/etc/subgid\&. Setting any other value treats the delegation as a plugin following with a name of the form
\fIlibsubid_$value\&.so\fR\&. If the value or plugin is missing, then the subordinate gid delegation falls back to
\fIfiles\fR\&.
.PP
Note, that
\fBgroupadd\fR
will only create entries in
/etc/subgid
if subid delegation is managed via subid files\&.
.SH "LOCAL SUBORDINATE DELEGATION"
.PP
Each line in
/etc/subgid
contains a user name and a range of subordinate group ids that user is allowed to use\&. This is specified with three fields delimited by colons (\(lq:\(rq)\&. These fields are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
login name or UID
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
numerical subordinate group ID
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
numerical subordinate group ID count
.RE
.PP
This file specifies the group IDs that ordinary users can use, with the
\fBnewgidmap\fR
command, to configure gid mapping in a user namespace\&.
.PP
Multiple ranges may be specified per user\&.
.PP
When large number of entries (10000\-100000 or more) are defined in
/etc/subgid, parsing performance penalty will become noticeable\&. In this case it is recommended to use UIDs instead of login names\&. Benchmarks have shown speed\-ups up to 20x\&.
.SH "FILES"
.PP
/etc/subgid
.RS 4
Per user subordinate group IDs\&.
.RE
.PP
/etc/subgid\-
.RS 4
Backup file for /etc/subgid\&.
.RE
.SH "SEE ALSO"
.PP
\fBlogin.defs\fR(5),
\fBnewgidmap\fR(1),
\fBnewuidmap\fR(1),
\fBnewusers\fR(8),
\fBsubuid\fR(5),
\fBuseradd\fR(8),
\fBuserdel\fR(8),
\fBusermod\fR(8),
\fBuser_namespaces\fR(7)\&.