Dear Experts,
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
[username]:100000:65536
Nothing like that was happening before. This is first time I create account after update done on Oct 3, 2019. I checked several CentOS 7 machines, basically doing this:
# grep subuid /usr/sbin/useradd Binary file /usr/sbin/useradd matches
And CentOS 7 machines indeed may have that file name in the useradd binary. None of CentOS 6 machines has that.
I tried to do FreeBSD-ism:
man /etc/subuid
came empty, and realized that I'm doing FreeBSD-ism.
I tried to do search on the web (did not "google", I use duckduckgo... so I "did search"), and came pretty much empty.
Is it just me, or indeed something in CentOS 7 indeed changed? And what is it?
Another question on the same note: how do we find out what the file is about and is used for in Linux, apart from searching on the web. (When there are surprises like the one I had today, one does like to know what this particular file is used for).
Thanks in advance for your answers.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2019-10-09 15:47, Valeri Galtsev wrote:
Dear Experts,
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
Nothing like that was happening before. This is first time I create account after update done on Oct 3, 2019. I checked several CentOS 7 machines, basically doing this:
# grep subuid /usr/sbin/useradd Binary file /usr/sbin/useradd matches
And CentOS 7 machines indeed may have that file name in the useradd binary. None of CentOS 6 machines has that.
I tried to do FreeBSD-ism:
man /etc/subuid
came empty, and realized that I'm doing FreeBSD-ism.
I tried to do search on the web (did not "google", I use duckduckgo... so I "did search"), and came pretty much empty.
Is it just me, or indeed something in CentOS 7 indeed changed? And what is it?
Another question on the same note: how do we find out what the file is about and is used for in Linux, apart from searching on the web. (When there are surprises like the one I had today, one does like to know what this particular file is used for).
Thanks in advance for your answers.
A quick google search:
https://lmgtfy.com/?qtype=search&q=%2Fetc%2Fsubuid
yielded this as the first link:
http://man7.org/linux/man-pages/man5/subuid.5.html
On 2019-10-09 14:56, Mike Burger wrote:
On 2019-10-09 15:47, Valeri Galtsev wrote:
Dear Experts,
I am going to answer my own questions, sorry for using original post to reply to. I just decided to flatter myself answering what was addressed to Experts, even if it was I who did it ;-)
Could someone enlighten me about the following file:
/etc/subuid
Thanks to everyone who pointed me to actual purpose of this file.
<The rest is written by upset person who almost investigated what appeared like potential compromise, which it wasn't>
Now that I tagged what I will write below, here are my findings.
Until release of current "version" of CentOS 7, namely version: 7.7.1908, the following command that is part of shadow-utils package :
/usr/sbin/useradd
did not touch /etc/subuid file. This is true about version 4.1.5.1-25 and older.
With new CentOS release shadow-utils were replaced with version 4.6.5, which has its default behavior changed, namely it does modify /etc/subuid file.
And here are my problems and reasons to be upset with this change:
1. The default behavior of the command /usr/sbin/useradd has changed
2. man page for the command /usr/sbin/useradd has no mentioning of /etc/subuid;
3. there is no way to change command behavior to what it was in the past, and no options related to /etc/subuid in useradd command
Incidentally, dealing with /etc/subuid was (or is it just "is?) reserved for the command /usr/sbin/usermod. And man page for usermod command has subuid in it. I am not going to discuss where (which command) dealing with /etc/subuid belongs to, keeping in mind the mood of the person who has investigated false case of compromise purely created by my system vendor. No, not system vendor, and not even upstream system vendor, the change actually actually appears to be made by the maintainer of shadow-utils (I see the same in Ubuntu system - just looked randomly into the box with different system).
Thanks again to everybody who gave their insights.
Valeri
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
Nothing like that was happening before. This is first time I create account after update done on Oct 3, 2019. I checked several CentOS 7 machines, basically doing this:
# grep subuid /usr/sbin/useradd Binary file /usr/sbin/useradd matches
And CentOS 7 machines indeed may have that file name in the useradd binary. None of CentOS 6 machines has that.
I tried to do FreeBSD-ism:
man /etc/subuid
came empty, and realized that I'm doing FreeBSD-ism.
I tried to do search on the web (did not "google", I use duckduckgo... so I "did search"), and came pretty much empty.
Is it just me, or indeed something in CentOS 7 indeed changed? And what is it?
Another question on the same note: how do we find out what the file is about and is used for in Linux, apart from searching on the web. (When there are surprises like the one I had today, one does like to know what this particular file is used for).
Thanks in advance for your answers.
A quick google search:
https://lmgtfy.com/?qtype=search&q=%2Fetc%2Fsubuid
yielded this as the first link:
On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid are used by podman for rootless containers (i.e. you can run a container without any root permissions). subuid/subgid is used to map a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomi...
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned to that new user.
Unfortunately, this doesn't really work in an enterprise environment when users are defined via LDAP, since no subuid/subgid entries are created, but I've heard that there's an effort to make that happen in the NSS layer in the future.
On 2019-10-09 14:58, Jonathan Billings wrote:
On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid are used by podman for rootless containers (i.e. you can run a container without any root permissions). subuid/subgid is used to map a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomi...
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned to that new user.
Unfortunately, this doesn't really work in an enterprise environment when users are defined via LDAP, since no subuid/subgid entries are created, but I've heard that there's an effort to make that happen in the NSS layer in the future.
Thank you, Michael and Jonathan for your answers.
I have one more question (which I probably will just answer myself by kickstart installing fresh new system...):
Did something changed and now by default useradd command adds user in that file (by default without me using extra flag etc)? In other words is it just me or indeed the command we used since forever suddenly changed its behavior?
Thanks again for your insights everybody.
Valeri
On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On 2019-10-09 14:58, Jonathan Billings wrote:
On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid are used by podman for rootless containers (i.e. you can run a container without any root permissions). subuid/subgid is used to map a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomi...
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned to that new user.
Unfortunately, this doesn't really work in an enterprise environment when users are defined via LDAP, since no subuid/subgid entries are created, but I've heard that there's an effort to make that happen in the NSS layer in the future.
Thank you, Michael and Jonathan for your answers.
I have one more question (which I probably will just answer myself by kickstart installing fresh new system...):
Did something changed and now by default useradd command adds user in that file (by default without me using extra flag etc)? In other words is it just me or indeed the command we used since forever suddenly changed its behavior?
I believe it is a new behavior (by about a year). This file was not in earlier versions of RHEL because my systems only seem to have it showing up after 2018-10
Thanks again for your insights everybody.
Valeri
-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 2019-10-09 15:39, Stephen John Smoogen wrote:
On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On 2019-10-09 14:58, Jonathan Billings wrote:
On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid are used by podman for rootless containers (i.e. you can run a container without any root permissions). subuid/subgid is used to map a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomi...
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned to that new user.
Unfortunately, this doesn't really work in an enterprise environment when users are defined via LDAP, since no subuid/subgid entries are created, but I've heard that there's an effort to make that happen in the NSS layer in the future.
Thank you, Michael and Jonathan for your answers.
I have one more question (which I probably will just answer myself by kickstart installing fresh new system...):
Did something changed and now by default useradd command adds user in that file (by default without me using extra flag etc)? In other words is it just me or indeed the command we used since forever suddenly changed its behavior?
I believe it is a new behavior (by about a year). This file was not in earlier versions of RHEL because my systems only seem to have it showing up after 2018-10
Thanks, you made me feel myself better.
I create users on Linux machines routinely, I have created previous user two or three weeks ago, and the command useradd didn't behave like that.
Valeri
Thanks again for your insights everybody.
Valeri
-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 09.10.19 um 22:39 schrieb Stephen John Smoogen:
On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On 2019-10-09 14:58, Jonathan Billings wrote:
On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
Could someone enlighten me about the following file:
/etc/subuid
? This file appears to be owned by "setup" package. This is CentOS 7 system, and until now these files if existed were never changed. Today I have added user quite routine way, by doing
/usr/sbin/groupadd -g 4500 [username] /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain" [username]
And the file /etc/subuid changed and user was added into it:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid are used by podman for rootless containers (i.e. you can run a container without any root permissions). subuid/subgid is used to map a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomi...
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned to that new user.
Unfortunately, this doesn't really work in an enterprise environment when users are defined via LDAP, since no subuid/subgid entries are created, but I've heard that there's an effort to make that happen in the NSS layer in the future.
Thank you, Michael and Jonathan for your answers.
I have one more question (which I probably will just answer myself by kickstart installing fresh new system...):
Did something changed and now by default useradd command adds user in that file (by default without me using extra flag etc)? In other words is it just me or indeed the command we used since forever suddenly changed its behavior?
I believe it is a new behavior (by about a year). This file was not in earlier versions of RHEL because my systems only seem to have it showing up after 2018-10
Seems C7 has no changelog entry but C8 gives:
$ rpm -q --changelog shadow-utils |grep -C 1 subo * Mi Nov 26 2014 Tomáš Mráz tmraz@redhat.com - 2:4.2.1-1 - new upstream release with support for subordinate uids and gids
-- Leon
-
Jonathan Billings -
Leon Fauster -
Mike Burger -
Stephen John Smoogen -
Valeri Galtsev