User namespaces were designed from the start to meet a requirement that unprivileged users be able to make use of them. Eric accomplished this by introducing subuid and subgid delegations through shadow. These are defined by the /etc/subuid and /etc/subgid files, which only root can write to. The setuid-root programs newuidmap and newgidmap, which ship with shadow, respect the subids delegated in those two files.
Until recently, programs which wanted to query available mappings, like lxc-usernsexec, have each parsed these two files. Now, shadow ships a new library, libsubid, to facilitate more programatic querying of subids. The API looks like this:
struct subordinate_range **get_subuid_ranges(const char *owner); struct subordinate_range **get_subgid_ranges(const char *owner); void subid_free_ranges(struct subordinate_range **ranges); int get_subuid_owners(uid_t uid, uid_t **owner); int get_subgid_owners(gid_t gid, uid_t **owner); /* range should be pre-allocated with owner and count filled in, start is * ignored, can be 0 */ bool grant_subuid_range(struct subordinate_range *range, bool reuse); bool grant_subgid_range(struct subordinate_range *range, bool reuse); bool free_subuid_range(struct subordinate_range *range); bool free_subgid_range(struct subordinate_range *range);
The next step, which I’ve not yet begun, will be to hook these general queries into NSS. You can follow the work in this github issue </p.