Distrobox with ipa users

I am trying to run distrobox so that I can quickly get a few projects up and running which would require more tinkering than I have time for on Nix. (My earlier attempt ended when my buildFHSUserEnv nix-shell led to stack smashing errors).

Unfortunately my users are ipa based and so they are not included in /etc/subuid or /etc/subgid. I added subids to the ipa server, but it doesn’t appear this is supported by the current nix module (or perhaps I am doing something wrong). Is there an easy way I can just add these users to those files?

I assume it is something like:

environment.etc."subuids" = {
 text = ''

But how do I make sure it doesn’t overwrite the entries already present?

Just found: this Stack Overlfow article

Trying it…I will report back.

This definitely replaces the values that were put there automatically for my local users. The good news is that I don’t actually need the local users to have subuid/subgid access that I know of, so for the time being that would be ok.

The bad news is that getsubids still returns an error and distrobox reports a separate error about an inconsistent state.

I found that my problem could not be fixed by adding my ipa users to /etc/subuids or /etc/subgids

I also found information suggesting that the answer to the problem is to add subid: sss to /etc/nsswitch.conf

I am struggling with how to append text to this file. Apparently using mkDefualt { mkAfter } for environment.etc doesn’t work. I did find a post which attempted to explain this by linking the relevant nix modules for mk_etc.sh, but I didn’t understand what I was looking at.

You may want to have a look at the system.nssDatabases configuration option, which is used to create /etc/nsswitch.conf.

Thanks for the answer.
Unless I am missing something nssDatabases currently doesn’t have any sort of extraLines option. If I understand that correctly, it probably should.

Regardless, it turns out that subid is a bit of a hack which is allowed by an nsswitch behavoir which allows for any lines it does not understand so that other programs can take advantage. In the case of subid:, <entry>, it tries to load a library called libsubid_<entry>.so those lookups can be processed.

In this case, I am both upset that I can’t add the lines that I want and that sssd subids are supported in such a haphazard manner. From a security perspective, this method is at least scary.

What I don’t understand is why things don’t work when I update my /etc/subuid and /etc/subgid files. I am not happy with having to have configs specifically for users who are maintained by another server, but at least it would allow me to do what I need.
Currently, my only option is to have a local user just to run distrobox’s. While I would prefer not to have to use distrobox in the first place, it is also a quick way to get something working while I look for a better way.

There is nothing hacky about subid entries. This is documented behaviour of the nsswitch mechanism. It is true, though, that the system.nssDatabases mechanism does not adequately reflect this possible use. Patches and issues may be welcome, especially, when you can show a specific use case which involves already supported software (like sssd). The path to the libsubuid_sss.so library would need to be added to the system.nssModules configuration option. This should be handled by the sssd nixos module, though, because nssModules is an internal option.

It don’t understand what you think, is done haphazardly.

1 Like

Perhaps I was a bit too hasty in classifying the method used here.

In general, an open text file with entries that cause the loading of libraries which provide overrides just seems like the kind of thing which is easily exploited.

I suppose it is necessary to keep nsswitch.conf so that it can only be modified by root (or in Nix, by configuration), but then the same can be said for most of the files in /etc.

I would like to retract my previous statement. Thank you for the comment.