Package: debian-policy
X-Debbugs-CC: pkg-shadow-de...@lists.alioth.debian.org,
base-pas...@packages.debian.org
Dear Policy Editors,
passwd/shadow has long ago introduced the concept of "subuids".
Please see subuid(5), or https://manpages.debian.org/bookworm/passwd/subuid.5.en.html
These are used by unshare and other container managers. They are
*automatically* assigned by useradd, when creating non-system users.
Debian's src:shadow uses the same uid-range as upstream:
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
These ranges are in the range currently documented in policy 9.2.2
as:
| 65536-4294967293:
| Dynamically allocated user accounts. By default adduser will not
| allocate UIDs and GIDs in this range, to ease compatibility with
| legacy systems where uid_t is still 16 bits.
Given this concept exists since at least jessie, I think it should
finally be documented in policy, too.
I'm not sure about a text. Maybe:
diff --git i/policy/ch-opersys.rst w/policy/ch-opersys.rst
index 1501076..37b4674 100644
--- i/policy/ch-opersys.rst
+++ w/policy/ch-opersys.rst
@@ -292,11 +292,16 @@ The UID and GID numbers are divided into classes as
follows:
This value *must not* be used, because it was the error return
sentinel value when ``uid_t`` was 16 bits.
-65536-4294967293:
+65536-99999, 600100000-4294967293:
Dynamically allocated user accounts. By default ``adduser`` will not
allocate UIDs and GIDs in this range, to ease compatibility with
legacy systems where ``uid_t`` is still 16 bits.
+100000-600100000:
+ Dynamically allocated subordinate user ids. See subuid(5).
+ ``useradd`` (and thus ``adduser``) automatically allocate these
+ when non-system users are created.
+
4294967294:
``(uid_t)(-2) == (gid_t)(-2)`` *must not* be used, because it is
used as the anonymous, unauthenticated user by some NFS
Thanks,
Chris
