Hello guixers,
I just sent a couple of patches [0] adding a full Scheme implementation
of the bits of Shadow that read and write /etc/subuid and /etc/subgid,
and some logic to handle generic requests from users that don't care
about specific ranges but just want to have some subids .
The result is a simple Guix System service that allows users to setup
these files on they're system. I hope this can be sound foundation for
the rootless-podman-service-type that I plan to implement .
I'm pasting here an excerpt of the documentation.
The (gnu system shadow) module exposes the subids-service-type, its
configuration record subids-configuration and its extension record
subids-extension.
With subids-service-type, subuids and subgids ranges can be reserved for
users that desire so:
(use-modules (gnu system shadow) ;for 'subids-service-type'
(gnu system accounts)) ;for 'subid-range'
(operating-system
(services
(list
(simple-service 'alice-bob-subids
subids-service-type
(subids-extension
(subgids
(list
(subid-range (name "alice"))))
(subuids
(list
(subid-range (name "alice"))
(subid-range (name "bob")
(start 100700)))))))))
Users (definitely other services), usually, are supposed to extend the
service instead of adding subids directly to subids-configuration,
unless they want to change the default behavior for root. With default
settings the subids-service-type adds, if it's not already there, a
configuration for the root account to both /etc/subuid and /etc/subgid,
possibly starting at the minimum possible subid. Otherwise the root
subuids and subgids ranges are fitted wherever possible.
The above configuration will yield the following:
# cat /etc/subgid
root:100000:65536
alice:165536:65536
# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536
This is a request for comments both here and in issue#72337 so please
let me know what you think.
Thank you for your help,
giacomo
[0]: https://issues.guix.gnu.org/72337
