They are not active at this commit, but they are documented.
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
#
#SUB_UID_DETERMINISTIC no
+#
+# Allow deterministic subordinate UID calculation to wrap around using
+# modulo arithmetic when a UID would overflow the configured subordinate
+# ID space. Only effective when SUB_UID_DETERMINISTIC is "yes".
+#
+# When disabled (default), any arithmetic overflow is a hard error,
+# ensuring non-overlapping monotonic allocation.
+#
+# WARNING: SECURITY RISK - MAY CAUSE RANGE OVERLAPS AND PRIVILEGE ESCALATION!
+#
+# When enabled (WRAP MODE), the subordinate ID space is treated as a ring
+# buffer. Uses modulo arithmetic to handle overflow. May cause range
+# overlaps between users.
+#
+# Default: no
+#
+#UNSAFE_SUB_UID_DETERMINISTIC_WRAP no
+
#
# Min/max values for automatic gid selection in groupadd(8)
#
#
#SUB_GID_DETERMINISTIC no
+#
+# Allow deterministic subordinate GID calculation to wrap around using
+# modulo arithmetic when a UID would overflow the configured subordinate
+# ID space. Only effective when SUB_GID_DETERMINISTIC is "yes".
+#
+# When disabled (default), any arithmetic overflow is a hard error,
+# ensuring non-overlapping monotonic allocation.
+#
+# WARNING: SECURITY RISK - MAY CAUSE RANGE OVERLAPS AND PRIVILEGE ESCALATION!
+#
+# When enabled (WRAP MODE), the subordinate ID space is treated as a ring
+# buffer. Uses modulo arithmetic to handle overflow. May cause range
+# overlaps between users.
+#
+# Default: no
+#
+#UNSAFE_SUB_GID_DETERMINISTIC_WRAP no
+
#
# Max number of login(1) retries if password is bad
#
{"UID_MAX", NULL},
{"UID_MIN", NULL},
{"UMASK", NULL},
+ {"UNSAFE_SUB_GID_DETERMINISTIC_WRAP", NULL},
+ {"UNSAFE_SUB_UID_DETERMINISTIC_WRAP", NULL},
{"USERDEL_CMD", NULL},
{"USERGROUPS_ENAB", NULL},
#ifndef USE_PAM
&SULOG_FILE;
&SU_NAME;
&SU_WHEEL_ONLY;
- &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX SUB_GID_DETERMINISTIC -->
+ &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX SUB_GID_DETERMINISTIC UNSAFE_SUB_GID_DETERMINISTIC_WRAP -->
&SUB_GID_STORE_BY_UID;
- &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX SUB_UID_DETERMINISTIC -->
+ &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX SUB_UID_DETERMINISTIC UNSAFE_SUB_UID_DETERMINISTIC_WRAP -->
&SUB_UID_STORE_BY_UID;
&SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
&SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
SUB_UID_STORE_BY_UID
SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
UMASK
+ UNSAFE_SUB_GID_DETERMINISTIC_WRAP UNSAFE_SUB_UID_DETERMINISTIC_WRAP
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
SUB_UID_STORE_BY_UID
SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
UMASK
+ UNSAFE_SUB_GID_DETERMINISTIC_WRAP UNSAFE_SUB_UID_DETERMINISTIC_WRAP
<phrase condition="tcb">TCB_AUTH_GROUP TCB_SYMLINK USE_TCB</phrase>
</para>
</listitem>
MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_GID_DETERMINISTIC
SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SUB_UID_DETERMINISTIC
+ UNSAFE_SUB_GID_DETERMINISTIC_WRAP UNSAFE_SUB_UID_DETERMINISTIC_WRAP
<phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
</para>
</listitem>
</refsect2>
</listitem>
</varlistentry>
+<varlistentry condition="subids">
+ <term><option>UNSAFE_SUB_GID_DETERMINISTIC_WRAP</option> (boolean)</term>
+ <listitem>
+ <para>
+ <emphasis role="bold">
+ WARNING: SECURITY RISK - MAY CAUSE RANGE OVERLAPS AND PRIVILEGE ESCALATION!
+ </emphasis>
+ </para>
+ <para>
+ Only effective when <option>SUB_GID_DETERMINISTIC</option> is set to
+ <replaceable>yes</replaceable>.
+ </para>
+ <para>
+ When set to <replaceable>yes</replaceable> (WRAP MODE),
+ allows the deterministic range calculation to wrap around using
+ modulo arithmetic when a UID would overflow the configured subordinate ID space.
+ The subordinate ID space is treated as a ring buffer.
+ </para>
+ <para>
+ <emphasis role="bold">WARNING</emphasis>:
+ Range overlaps can lead to container escapes and privilege escalation.
+ For example, with
+ <option>SUB_GID_MIN</option>=100000,
+ <option>SUB_GID_MAX</option>=200000,
+ <option>SUB_GID_COUNT</option>=65536,
+ User A (UID 1000) gets range [100000, 165535] and
+ User B (UID 1001) wraps and overlaps with User A.
+ User B's container can now access files from User A's containers.
+ </para>
+ <para>
+ Use <emphasis role="bold">only</emphasis> in development, testing,
+ or tightly constrained lab environments.
+ </para>
+ <para>
+ When set to <replaceable>no</replaceable> (default),
+ any arithmetic overflow or range exceeding
+ <option>SUB_GID_MAX</option> is a hard error.
+ This guarantees non-overlapping, monotonic allocation.
+ </para>
+ <para>
+ The default value for
+ <option>UNSAFE_SUB_GID_DETERMINISTIC_WRAP</option> is
+ <replaceable>no</replaceable>.
+ </para>
+ </listitem>
+</varlistentry>
</refsect2>
</listitem>
</varlistentry>
+<varlistentry condition="subids">
+ <term><option>UNSAFE_SUB_UID_DETERMINISTIC_WRAP</option> (boolean)</term>
+ <listitem>
+ <para>
+ <emphasis role="bold">
+ WARNING: SECURITY RISK - MAY CAUSE RANGE OVERLAPS AND PRIVILEGE ESCALATION!
+ </emphasis>
+ </para>
+ <para>
+ Only effective when <option>SUB_UID_DETERMINISTIC</option> is set to
+ <replaceable>yes</replaceable>.
+ </para>
+ <para>
+ When set to <replaceable>yes</replaceable> (WRAP MODE),
+ allows the deterministic range calculation to wrap around using
+ modulo arithmetic when a UID would overflow the configured subordinate ID space.
+ The subordinate ID space is treated as a ring buffer.
+ </para>
+ <para>
+ <emphasis role="bold">WARNING</emphasis>:
+ Range overlaps can lead to container escapes and privilege escalation.
+ For example, with
+ <option>SUB_UID_MIN</option>=100000,
+ <option>SUB_UID_MAX</option>=200000,
+ <option>SUB_UID_COUNT</option>=65536,
+ User A (UID 1000) gets range [100000, 165535] and
+ User B (UID 1001) wraps and overlaps with User A.
+ User B's container can now access files from User A's containers.
+ </para>
+ <para>
+ Use <emphasis role="bold">only</emphasis> in development, testing,
+ or tightly constrained lab environments.
+ </para>
+ <para>
+ When set to <replaceable>no</replaceable> (default),
+ any arithmetic overflow or range exceeding
+ <option>SUB_UID_MAX</option> is a hard error.
+ This guarantees non-overlapping, monotonic allocation.
+ </para>
+ <para>
+ The default value for
+ <option>UNSAFE_SUB_UID_DETERMINISTIC_WRAP</option> is
+ <replaceable>no</replaceable>.
+ </para>
+ </listitem>
+</varlistentry>
projects / thirdparty / shadow.git / commitdiff
