Re: Bug#932103: RFP: fuidshift -- remap a filesystem tree to shift one set of UID/GID ranges to another

To: Vincent Tondellier <tonton+dbug@team1664.org>, 932103@bugs.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, debian-devel@lists.debian.org
Subject: Re: Bug#932103: RFP: fuidshift -- remap a filesystem tree to shift one set of UID/GID ranges to another
From: Nicholas D Steeves <nsteeves@gmail.com>
Date: Sun, 11 Aug 2019 18:04:37 -0400
Message-id: <[🔎] 20190811220429.GA6898@DigitalMercury.dynalias.net>
In-reply-to: <3930467.Ha2F3adJYf@quad>
References: <156316420192.15982.13684164100463592524.reportbug@DigitalMercury.dynalias.net> <87tvblznur.fsf@mid.deneb.enyo.de> <156316420192.15982.13684164100463592524.reportbug@DigitalMercury.dynalias.net> <3930467.Ha2F3adJYf@quad>

Hi,

On Wed, Jul 17, 2019 at 01:55:06AM +0200, Vincent Tondellier wrote:
> On Tuesday 16 July 2019 23:11:24 Florian Weimer wrote:
> > * Nicholas D. Steeves:
> > > Package name    : fuidshift
> > > Version         : 3.0
> > > Upstream Author : Name <somebody@example.org>
> > > URL             : https://github.com/lxc/lxd/tree/master/fuidshift
> > > License         : Apache 2.0
> > > Programming Lang: Go
> > > Description : remap a filesystem tree to shift one set of UID/GID
> > > ranges to another
> 
> ...
> 
> > How does this compare to (or interact with) newuidmap and newgidmap
> > from uidmap?
> 
> They do very different things.
> 
> Let me try a short description :
> newuidmap - set the uid mapping of a user namespace (from manpage)
> fuidshift - shift the uid/gid of files *on disk*
>

That's a good short description :-)

> fuidshift is basically a recursive
> chown $(( $(stat -c '%u' "$path") + $uidshift )) "$path"
> 
> It does not use or configure user namespaces or containers.
> 
> It's useful for the creation of containers images, for example when the 
> container root filesystem is read-only (squashfs) and the container engine 
> can't change the uids at runtime (see for example systemd-nspawn --private-
> users=pick / --private-users-chown).
> 
> So fuidshift may be used to prepare a directory for later use by newuidmap, 
> but that's about it.
>

It's also useful as part of redistributing namespace blocks of
uids/guids among new/different users/groups.

One specific case I think it would be useful for is this: a user that
started with Debian's default LXC configuration, then learned how
insecure that was, and then wants to preserve their work while
migrating the container to an unprivileged one; this happened to me
once and I lost an hour or two recreating my customisations.  I have a
friend who would appreciate this tool to save time fixing up such a
situation.

> > There's a push to force uidmap on everyone, with tight integration
> > into NSS.  If there's a competing scheme, it would be helpful to know
> > about it.

Sorry, I'm not sure, but as fuidshift is part of the LXD project I
would imagine that it will be well supported moving forward.  eg: if
there will ever (hypothetically) be something like an aclmap that maps
POSIX or NFSv4 acls container-to-host.  It's definitely better
maintained than other tools that do this recursive chown, and AFAIK
LXD is going to eventually be packaged for Debian, so bin:fuidshift
from src:lxd makes sense to me.  Is this not the case?

Thank you for your comments!
Regards,
Nicholas

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#934514: ITP: ifcplusplus -- C++ class model, as well as a reader and writer for IFC files in STEP format
Next by Date: Re: how to handle upstream orig tarball with git-lfs reference files?
Previous by thread: Bug#934514: ITP: ifcplusplus -- C++ class model, as well as a reader and writer for IFC files in STEP format
Next by thread: Bug#934596: ITP: postgresfixture -- Python fixture for creating PostgreSQL clusters and databases
Index(es):
- Date
- Thread