Hi, On Wed, Jul 17, 2019 at 01:55:06AM +0200, Vincent Tondellier wrote: > On Tuesday 16 July 2019 23:11:24 Florian Weimer wrote: > > * Nicholas D. Steeves: > > > Package name : fuidshift > > > Version : 3.0 > > > Upstream Author : Name <someb...@example.org> > > > URL : https://github.com/lxc/lxd/tree/master/fuidshift > > > License : Apache 2.0 > > > Programming Lang: Go > > > Description : remap a filesystem tree to shift one set of UID/GID > > > ranges to another > > ... > > > How does this compare to (or interact with) newuidmap and newgidmap > > from uidmap? > > They do very different things. > > Let me try a short description : > newuidmap - set the uid mapping of a user namespace (from manpage) > fuidshift - shift the uid/gid of files *on disk* >
That's a good short description :-) > fuidshift is basically a recursive > chown $(( $(stat -c '%u' "$path") + $uidshift )) "$path" > > It does not use or configure user namespaces or containers. > > It's useful for the creation of containers images, for example when the > container root filesystem is read-only (squashfs) and the container engine > can't change the uids at runtime (see for example systemd-nspawn --private- > users=pick / --private-users-chown). > > So fuidshift may be used to prepare a directory for later use by newuidmap, > but that's about it. > It's also useful as part of redistributing namespace blocks of uids/guids among new/different users/groups. One specific case I think it would be useful for is this: a user that started with Debian's default LXC configuration, then learned how insecure that was, and then wants to preserve their work while migrating the container to an unprivileged one; this happened to me once and I lost an hour or two recreating my customisations. I have a friend who would appreciate this tool to save time fixing up such a situation. > > There's a push to force uidmap on everyone, with tight integration > > into NSS. If there's a competing scheme, it would be helpful to know > > about it. Sorry, I'm not sure, but as fuidshift is part of the LXD project I would imagine that it will be well supported moving forward. eg: if there will ever (hypothetically) be something like an aclmap that maps POSIX or NFSv4 acls container-to-host. It's definitely better maintained than other tools that do this recursive chown, and AFAIK LXD is going to eventually be packaged for Debian, so bin:fuidshift from src:lxd makes sense to me. Is this not the case? Thank you for your comments! Regards, Nicholas
signature.asc
Description: PGP signature