From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 24 May 2021 10:14:43 +0000 (+0200)
Subject: man: clarify subid delegation
X-Git-Tag: v4.9~18^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F345%2Fhead;p=thirdparty%2Fshadow.git

man: clarify subid delegation

Clarify that the subid delegation can only come from one source.
Moreover, add an example of what might happen if the subid source is NSS
and useradd is executed.

Related: https://github.com/shadow-maint/shadow/issues/331
---

diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 76fc1e306..7aaf34bf5 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -88,9 +88,15 @@
     <title>DESCRIPTION</title>
     <para>
       The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
-      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
-      through the configured NSS subid module).
-      Note that the root user is not exempted from the requirement for a valid
+      command line arguments and the gids allowed. The subid delegation can come either from files
+      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
+      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+      <command>groupadd</command> is executed, then the command will fail and the entry will not be
+      created in <filename>/etc/subgid</filename>.
+    </para>
+
+    <para>
+      Note that the root group is not exempted from the requirement for a valid
       <filename>/etc/subgid</filename> entry.
     </para>
 
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index 44eca50a4..4bc1ef7af 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -88,8 +88,14 @@
     <title>DESCRIPTION</title>
     <para>
       The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
-      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
-      through the configured NSS subid module).
+      command line arguments and the uids allowed. The subid delegation can come either from files
+      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
+      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+      <command>useradd</command> is executed, then the command will fail and the entry will not be
+      created in <filename>/etc/subuid</filename>.
+    </para>
+
+    <para>
       Note that the root user is not exempted from the requirement for a valid
       <filename>/etc/subuid</filename> entry.
     </para>