From 22038de5f2a4db53f9ce3bc72625b6763a0b3fc6 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 15 Sep 2014 00:35:02 +0000
Subject: [PATCH] lxc_map_ids: add a comment
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Explain why we insist that root use newuidmap if it is available.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
 src/lxc/conf.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c3589..e61002b7f 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3429,6 +3429,12 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	enum idtype type;
 	char *buf = NULL, *pos, *cmdpath = NULL;
 
+	/*
+	 * If newuidmap exists, that is, if shadow is handing out subuid
+	 * ranges, then insist that root also reserve ranges in subuid.  This
+	 * will protected it by preventing another user from being handed the
+	 * range by shadow.
+	 */
 	cmdpath = on_path("newuidmap", NULL);
 	if (cmdpath) {
 		use_shadow = 1;
-- 
2.47.2