git.ipfire.org Git - thirdparty/shadow.git/commit

author	Pat Riehecky <riehecky@fnal.gov>
	Fri, 13 Mar 2026 14:25:41 +0000 (09:25 -0500)
committer	Serge Hallyn <serge@hallyn.com>
	Fri, 10 Apr 2026 03:20:34 +0000 (22:20 -0500)
commit	84ccd38ea51e8c5a101cc13d83d43bdcf9005908
tree	2f830a6cee73f02f6fa8bfdf1aed7a4f0409d8f2	tree \| snapshot
parent	bd8c55094b5e52d8a091a32991bb1e61199b4d17	commit \| diff

subid: setup deterministic_wrap mode

This adds two new options to /etc/login.defs:
* UNSAFE_SUB_UID_DETERMINISTIC_WRAP
* UNSAFE_SUB_GID_DETERMINISTIC_WRAP

Deterministic subordinate ID allocation ties each user's subid range
directly to their UID, giving consistent, reproducible ranges across all
hosts without a shared database.  This property breaks down when the
subordinate ID space is exhausted.

With a UID space that on Linux extends to 2^32-1 and the traditional
per-user subid allocation of 2^16 ranges, a site with a large UID
population could exhaust the subordinate ID space before all user UIDs
are allocated.

UNSAFE_SUB_UID_DETERMINISTIC_WRAP and UNSAFE_SUB_GID_DETERMINISTIC_WRAP
provide an explicit opt-in to modulo (ring-buffer) wrapping as a
predictable last resort.  This preserves the deterministic allocation
at the risk of subid overlap.

The UNSAFE_ prefix and the required explicit opt-in are intentional.

Overlapping ranges break namespace isolation and can allow container
escapes and privilege escalation between users whose ranges collide.

These options are appropriate only when all of the following hold:
  - Strict subid determinism is require
  - The active UID population on the host is small and well-known
  - The administrator regularly audits the UID distribution and confirms
    no two active users produce overlapping computed ranges

Do not enable these options on hosts with an uncontrolled user population.

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>

lib/find_new_sub_gids.c		diff \| blob \| blame \| history
lib/find_new_sub_uids.c		diff \| blob \| blame \| history