Re: Allowing mapping supplemental groups in user namespace?

From: Dmitry Torokhov
Date: Thu Mar 28 2019 - 14:31:11 EST


Hi Serge,

On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
>
> On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote:
> > Hi Eric,
> >
> > Currently, unless caller has CAP_SETGID in parent namespace, we can
> > only map effective group id in the new user namespace. Would it be
> > possible to relax this rule to also allow mapping of supplemental
> > groups (1:1) of the caller?
> >
> > Thanks.
> >
> > --
> > Dmitry
>
> Hi,
>
> Is there a use case where adding those to /etc/subgid is onerous?
> (There probably is, just would like to see yours)

We on Chrome OS limit number of suid binaries installed on the system,
so newgidmap does not have necessary privileges to carry out this
operation. Also we are looking for a solution that we can use with our
minijail package where spawning additional binary is challenging even
if it was suid.

Thanks.

--
Dmitry




--
Dmitry