subuid/subgid management unsafe

[harningt]

Looking at how the automatic subuid / subgid management works - the assigned values must not overlap any existing ones.

In my local code that handles this - I have a mapping of user-groups -> subuid/subgid pairs so I know they don't overlap.

The fix here might be to force the ID ranges be an input, otherwise an existing setup might be broken where there's multiple users w/ ranges setup.

[ikke-t]

hmmmm, I good point. I didn't think much of it while doing the mappings, I hoped namespaces somehow takes care of if. I believe useradd command also by default creates the same ranges for everyone, right?

So you mean there should be some checker what existing values are there, and then it would shift the range a bit for each?

[harningt]

I'm thinking that the safest option would be to check if there was a line that either started with: <username>: or <uid>: which would indicate that the relevant user ID was there. Similar for group. The format allows both name and ID as the identifier.

useradd typically is responsible for auto-generating a suitable range.

Checking if the value is there and then failing if the related mapping is not present would be useful for debugging issues (if I remember right, podman doesn't always output the most helpful issues).

[ikke-t]

I looked at the man of useradd, and it claims to go find suitable ranges for the id maps. I think the whole check is rarely causing any additions for the sub id mappings. It was needed for the time useradd didn't yet do it, and nowadays it does. And this role creates a new id, thus I believe it also let's the system create the relevant sub id ranges. Thus the next time this module is being run, the ids are there already, and we don't need to fix those.

Perhaps one day we could remove the whole check, and just abort if the ids are missing. It should be rather random case nowadays anymore.

Personally, I won't bother doing anything for this as of now. But if you wish to enhance it, PR is very welcomed.