From c01ff965b48bb9693dcd77cbc748b5d8676766b0 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Jul 2015 14:46:20 -0300 Subject: nss-mymachines: map userns users of containers to real user names Given a container "foo", that maps user id $UID to container user, using user namespaces, this NSS module extenstion will now map the $UID to a name "vu-foo-$TUID" for the translated UID $UID. Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs of $GID. This simple change should make userns users more discoverable. Also, given that many tools like "adduser" check NSS before allocating a UID, should lower the chance of UID range conflicts between tools. --- src/basic/macro.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/basic') diff --git a/src/basic/macro.h b/src/basic/macro.h index 5fa17ed208..58530a3980 100644 --- a/src/basic/macro.h +++ b/src/basic/macro.h @@ -26,6 +26,7 @@ #include #include #include +#include #define _printf_(a,b) __attribute__ ((format (printf, a, b))) #define _alloc_(...) __attribute__ ((alloc_size(__VA_ARGS__))) @@ -461,6 +462,18 @@ do { \ #define GID_INVALID ((gid_t) -1) #define MODE_INVALID ((mode_t) -1) +static inline bool UID_IS_INVALID(uid_t uid) { + /* We consider both the old 16bit -1 user and the newer 32bit + * -1 user invalid, since they are or used to be incompatible + * with syscalls such as setresuid() or chown(). */ + + return uid == (uid_t) ((uint32_t) -1) || uid == (uid_t) ((uint16_t) -1); +} + +static inline bool GID_IS_INVALID(gid_t gid) { + return gid == (gid_t) ((uint32_t) -1) || gid == (gid_t) ((uint16_t) -1); +} + #define DEFINE_TRIVIAL_CLEANUP_FUNC(type, func) \ static inline void func##p(type *p) { \ if (*p) \ -- cgit v1.2.3-54-g00ecf