man/subuid.5.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

<?xml version="1.0" encoding="UTF-8"?>
<!--
   SPDX-FileCopyrightText: 2013 Eric W. Biederman
   SPDX-License-Identifier: BSD-3-Clause
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subuid.5'>
  <refentryinfo>
    <author>
      <firstname>Eric</firstname>
      <surname>Biederman</surname>
      <contrib>Creation, 2013</contrib>
    </author>
    <author>
      <firstname>Iker</firstname>
      <surname>Pedrosa</surname>
      <contrib>Developer, 2021</contrib>
    </author>
  </refentryinfo>
  <refmeta>
    <refentrytitle>subuid</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
    <refmiscinfo class="source">shadow-utils</refmiscinfo>
    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
  </refmeta>
  <refnamediv id='name'>
    <refname>subuid</refname>
    <refpurpose>the configuration for subordinate user ids</refpurpose>
  </refnamediv>

  <refsect1 id='description'>
    <title>DESCRIPTION</title>
    <para>
      Subuid authorizes a user id to map ranges of user ids from its namespace
      into child namespaces.
    </para>
    <para>
      The delegation of the subordinate uids can be configured via the
      <replaceable>subid</replaceable> field in
      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
      as the delegation source. Setting this field to
      <replaceable>files</replaceable> configures the delegation of uids to
      <filename>/etc/subuid</filename>. Setting any other value treats
      the delegation as a plugin following with a name of the form
      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
      missing, then the subordinate uid delegation falls back to
      <replaceable>files</replaceable>.
    </para>
    <para>
      Note, that <command>useradd</command> will only create entries in
      <filename>/etc/subuid</filename> if subid delegation is managed via subid
      files.
    </para>
  </refsect1>

  <refsect1 id='local-subordinate-delegation'>
    <title>LOCAL SUBORDINATE DELEGATION</title>
    <para>
      Each line in <filename>/etc/subuid</filename> contains
      a user name and a range of subordinate user ids that user
      is allowed to use.

      This is specified with three fields delimited by colons
      (<quote>:</quote>).
      These fields are:
    </para>
    <itemizedlist mark='bullet'>
      <listitem>
	<para>login name or UID</para>
      </listitem>
      <listitem>
	<para>numerical subordinate user ID</para>
      </listitem>
      <listitem>
	<para>numerical subordinate user ID count</para>
      </listitem>
    </itemizedlist>

    <para>
      This file specifies the user IDs that ordinary users can use, with
      the <command>newuidmap</command> command, to configure uid mapping
      in a user namespace.
    </para>

    <para>
      Multiple ranges may be specified per user.
    </para>

    <para>
      When large number of entries (10000-100000 or more) are defined in
      <filename>/etc/subuid</filename>, parsing performance penalty will
      become noticeable. In this case it is recommended to use UIDs
      instead of login names. Benchmarks have shown speed-ups up to 20x.
    </para>

  </refsect1>

  <refsect1 id='files'>
    <title>FILES</title>
    <variablelist>
      <varlistentry>
	<term><filename>/etc/subuid</filename></term>
	<listitem>
	  <para>Per user subordinate user IDs.</para>
	</listitem>
      </varlistentry>
      <varlistentry>
	<term><filename>/etc/subuid-</filename></term>
	<listitem>
	  <para>Backup file for /etc/subuid.</para>
	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id='see_also'>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>newusers</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
</refentry>