diff options
Diffstat (limited to 'man/man5/subgid.5')
-rw-r--r-- | man/man5/subgid.5 | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/man/man5/subgid.5 b/man/man5/subgid.5 new file mode 100644 index 0000000..73b8617 --- /dev/null +++ b/man/man5/subgid.5 @@ -0,0 +1,120 @@ +'\" t +.\" Title: subgid +.\" Author: Eric Biederman +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: File Formats and Configuration Files +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "SUBGID" "5" "11/08/2022" "shadow\-utils 4\&.13" "File Formats and Configuration" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +subgid \- the configuration for subordinate group ids +.SH "DESCRIPTION" +.PP +Subgid authorizes a group id to map ranges of group ids from its namespace into child namespaces\&. +.PP +The delegation of the subordinate gids can be configured via the +\fIsubid\fR +field in +/etc/nsswitch\&.conf +file\&. Only one value can be set as the delegation source\&. Setting this field to +\fIfiles\fR +configures the delegation of gids to +/etc/subgid\&. Setting any other value treats the delegation as a plugin following with a name of the form +\fIlibsubid_$value\&.so\fR\&. If the value or plugin is missing, then the subordinate gid delegation falls back to +\fIfiles\fR\&. +.PP +Note, that +\fBgroupadd\fR +will only create entries in +/etc/subgid +if subid delegation is managed via subid files\&. +.SH "LOCAL SUBORDINATE DELEGATION" +.PP +Each line in +/etc/subgid +contains a user name and a range of subordinate group ids that user is allowed to use\&. This is specified with three fields delimited by colons (\(lq:\(rq)\&. These fields are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +login name or UID +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +numerical subordinate group ID +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +numerical subordinate group ID count +.RE +.PP +This file specifies the group IDs that ordinary users can use, with the +\fBnewgidmap\fR +command, to configure gid mapping in a user namespace\&. +.PP +Multiple ranges may be specified per user\&. +.PP +When large number of entries (10000\-100000 or more) are defined in +/etc/subgid, parsing performance penalty will become noticeable\&. In this case it is recommended to use UIDs instead of login names\&. Benchmarks have shown speed\-ups up to 20x\&. +.SH "FILES" +.PP +/etc/subgid +.RS 4 +Per user subordinate group IDs\&. +.RE +.PP +/etc/subgid\- +.RS 4 +Backup file for /etc/subgid\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBnewgidmap\fR(1), +\fBnewuidmap\fR(1), +\fBnewusers\fR(8), +\fBsubuid\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8), +\fBuser_namespaces\fR(7)\&. |