man/subgid.5.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

<?xml version="1.0" encoding="UTF-8"?>
<!--
   SPDX-FileCopyrightText: 2013 Eric W. Biederman
   SPDX-License-Identifier: BSD-3-Clause
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subgid.5'>
  <refentryinfo>
    <author>
      <firstname>Eric</firstname>
      <surname>Biederman</surname>
      <contrib>Creation, 2013</contrib>
    </author>
    <author>
      <firstname>Iker</firstname>
      <surname>Pedrosa</surname>
      <contrib>Developer, 2021</contrib>
    </author>
  </refentryinfo>
  <refmeta>
    <refentrytitle>subgid</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
    <refmiscinfo class="source">shadow-utils</refmiscinfo>
    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
  </refmeta>
  <refnamediv id='name'>
    <refname>subgid</refname>
    <refpurpose>the configuration for subordinate group ids</refpurpose>
  </refnamediv>

  <refsect1 id='description'>
    <title>DESCRIPTION</title>
    <para>
      Subgid authorizes a group id to map ranges of group ids from its namespace
      into child namespaces.
    </para>
    <para>
      The delegation of the subordinate gids can be configured via the
      <replaceable>subid</replaceable> field in
      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
      as the delegation source. Setting this field to
      <replaceable>files</replaceable> configures the delegation of gids to
      <filename>/etc/subgid</filename>. Setting any other value treats
      the delegation as a plugin following with a name of the form
      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
      missing, then the subordinate gid delegation falls back to
      <replaceable>files</replaceable>.
    </para>
    <para>
      Note, that <command>groupadd</command> will only create entries in
      <filename>/etc/subgid</filename> if subid delegation is managed via subid
      files.
    </para>
  </refsect1>

  <refsect1 id='local-subordinate-delegation'>
    <title>LOCAL SUBORDINATE DELEGATION</title>
    <para>
      Each line in <filename>/etc/subgid</filename> contains
      a user name and a range of subordinate group ids that user
      is allowed to use.

      This is specified with three fields delimited by colons
      (<quote>:</quote>).
      These fields are:
    </para>
    <itemizedlist mark='bullet'>
      <listitem>
	<para>login name or UID</para>
      </listitem>
      <listitem>
	<para>numerical subordinate group ID</para>
      </listitem>
      <listitem>
	<para>numerical subordinate group ID count</para>
      </listitem>
    </itemizedlist>

    <para>
      This file specifies the group IDs that ordinary users can use, with
      the <command>newgidmap</command> command, to configure gid mapping
      in a user namespace.
    </para>

    <para>
      Multiple ranges may be specified per user.
    </para>

    <para>
      When large number of entries (10000-100000 or more) are defined in
      <filename>/etc/subgid</filename>, parsing performance penalty will
      become noticeable. In this case it is recommended to use UIDs
      instead of login names. Benchmarks have shown speed-ups up to 20x.
    </para>

  </refsect1>

  <refsect1 id='files'>
    <title>FILES</title>
    <variablelist>
      <varlistentry>
	<term><filename>/etc/subgid</filename></term>
	<listitem>
	  <para>Per user subordinate group IDs.</para>
	</listitem>
      </varlistentry>
      <varlistentry>
	<term><filename>/etc/subgid-</filename></term>
	<listitem>
	  <para>Backup file for /etc/subgid.</para>
	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id='see_also'>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newusers</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
</refentry>