diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-02-15 22:40:29 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-02-16 13:37:01 +0100 |
| commit | 9df83788c1f19eca2f0ffe051d0e2b99e5cc77a8 (patch) | |
| tree | 59e10e9113156ab3b21a50f0b6aff18487d9b79b /docs | |
| parent | homed: when using id mapping on the home dirs, also do an identity mapping fo... (diff) | |
| download | systemd-9df83788c1f19eca2f0ffe051d0e2b99e5cc77a8.tar.xz systemd-9df83788c1f19eca2f0ffe051d0e2b99e5cc77a8.zip | |
docs: document homed's use of the container UID mapping
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/UIDS-GIDS.md | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/docs/UIDS-GIDS.md b/docs/UIDS-GIDS.md index 5c05bf11cb..6931536185 100644 --- a/docs/UIDS-GIDS.md +++ b/docs/UIDS-GIDS.md @@ -233,6 +233,27 @@ safely use the NSS user database as allocation check, too. Note that if you follow this scheme no changes to `/etc/passwd` need to be made, thus minimizing the artifacts the container manager persistently leaves in the system. +5. `systemd-homed` by default mounts the home directories it manages with UID +mapping applied. It will map four UID ranges into that uidmap, and leave +everything else unmapped: the range from 0…60000, the user's own UID, the range +60514…65534, and the container range 524288…1879048191. This means +files/directories in home directories managed by `systemd-homed` cannot be +owned by UIDs/GIDs outside of these four ranges (attempts to `chown()` files to +UIDs outside of these ranges will fail). Thus, if container trees are to be +placed within a home directory managed by `systemd-homed` they should take +these ranges into consideration and either place the trees at base UID 0 (and +then map them to a higher UID range for use in user namespacing via another +level of UID mapped mounts, at *runtime*) or at a base UID from the container +UID range. That said, placing container trees (and in fact any +files/directories not owned by the home directory's user) in home directories +is generally a questionable idea (regardless of whether `systemd-homed` is used +or not), given this typically breaks quota assumptions, makes it impossible for +users to properly manage all files in their own home directory due to +permission problems, introduces security issues around SETUID and severely +restricts compatibility with networked home directories. Typically, it's a much +better idea to place container images outside of the home directory, +i.e. somewhere below `/var/` or similar. + ## Summary | UID/GID | Purpose | Defined By | Listed in | |