Add debian/patches/userns: patches to enable use of subuids (Closes: #739981)

debian/changelog

@@ -1,5 +1,6 @@
 shadow (1:4.2-1) UNRELEASED; urgency=low
 
+  [ Nicolas FRANCOIS (Nekral) ]
   * New upstream release. Fixes:
     - Invalid free() in su fixed by using strdup(). Thanks to Serge
       Hallyn for the patch. Closes: #691459
@@ -31,6 +32,10 @@ shadow (1:4.2-1) UNRELEASED; urgency=low
   * debian/login.su.pam: Enable pam_limits by default. Closes: #705301
   * debian/rules: Set default editor to sensible-editor for vipw.
     Closes: #688252
+  [ Micah Anderson ]
+  * added debian/patches/userns to enable use of subuids, plus some bugfix 
+    patches on top of them, patches from Eric Biederman, pulled from
+    Ubuntu. Closes: #739981
 
  -- Christian Perrier <bubulle@debian.org>  Sat, 27 Jul 2013 20:07:18 +0200
 

debian/patches/1000_configure_userns

@@ -0,0 +1,105 @@
+=== modified file 'etc/login.defs'
+Index: shadow/etc/login.defs
+===================================================================
+--- shadow.orig/etc/login.defs	2014-02-16 19:31:38.934898148 -0500
++++ shadow/etc/login.defs	2014-02-16 19:31:38.926898149 -0500
+@@ -229,7 +229,7 @@
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+ SUB_UID_MAX		600100000
+-SUB_UID_COUNT		    10000
++SUB_UID_COUNT		    65536
+ 
+ #
+ # Min/max values for automatic gid selection in groupadd
+@@ -242,7 +242,7 @@
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+ SUB_GID_MAX		600100000
+-SUB_GID_COUNT		    10000
++SUB_GID_COUNT		    65536
+ 
+ #
+ # Max number of login retries if password is bad
+Index: shadow/src/newusers.c
+===================================================================
+--- shadow.orig/src/newusers.c	2014-02-16 19:31:38.934898148 -0500
++++ shadow/src/newusers.c	2014-02-16 19:31:38.926898149 -0500
+@@ -946,8 +946,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
++	is_sub_uid = sub_uid_file_present () && !rflg;
++	is_sub_gid = sub_gid_file_present () && !rflg;
+ 
+ 	open_files ();
+ 
+Index: shadow/src/useradd.c
+===================================================================
+--- shadow.orig/src/useradd.c	2014-02-16 19:31:38.934898148 -0500
++++ shadow/src/useradd.c	2014-02-16 19:31:38.926898149 -0500
+@@ -1978,6 +1978,10 @@
+ #endif				/* USE_PAM */
+ #endif				/* ACCT_TOOLS_SETUID */
+ 
++	/* Needed for userns check */
++	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
++	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
++
+ 	/*
+ 	 * Get my name so that I can use it to report errors.
+ 	 */
+@@ -2001,18 +2005,20 @@
+ 	 */
+ 	user_groups[0] = (char *) 0;
+ 
+-
+ 	is_shadow_pwd = spw_file_present ();
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
+-
+-	get_defaults ();
+ 
+ 	process_flags (argc, argv);
+ 
++	is_sub_uid = sub_uid_file_present () && !rflg &&
++	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
++	is_sub_gid = sub_gid_file_present () && !rflg &&
++	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
++
++	get_defaults ();
++
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	{
+Index: shadow/libmisc/find_new_sub_uids.c
+===================================================================
+--- shadow.orig/libmisc/find_new_sub_uids.c	2014-02-16 19:31:38.934898148 -0500
++++ shadow/libmisc/find_new_sub_uids.c	2014-02-16 19:31:38.926898149 -0500
+@@ -56,7 +56,7 @@
+ 
+ 	min = getdef_ulong ("SUB_UID_MIN", 100000UL);
+ 	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
+-	count = getdef_ulong ("SUB_UID_COUNT", 10000);
++	count = getdef_ulong ("SUB_UID_COUNT", 65536);
+ 
+ 	if (min >= max || count >= max || (min + count) >= max) {
+ 		(void) fprintf (stderr,
+Index: shadow/libmisc/find_new_sub_gids.c
+===================================================================
+--- shadow.orig/libmisc/find_new_sub_gids.c	2014-02-16 19:32:21.298896382 -0500
++++ shadow/libmisc/find_new_sub_gids.c	2014-02-16 19:32:34.462895834 -0500
+@@ -56,7 +56,7 @@
+ 
+ 	min = getdef_ulong ("SUB_GID_MIN", 100000UL);
+ 	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
+-	count = getdef_ulong ("SUB_GID_COUNT", 10000);
++	count = getdef_ulong ("SUB_GID_COUNT", 65536);
+ 
+ 	if (min >= max || count >= max || (min + count) >= max) {
+ 		(void) fprintf (stderr,

debian/patches/series

@@ -16,3 +16,20 @@
 523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
+userns/01_userns_doc
+userns/02_userns_doc_login.defs
+userns/03_userns_implement_commonio_append
+userns/04_userns_add_backend_support
+userns/05_userns_implemend_find_new_sub_xids
+userns/06_userns_userdel
+userns/07_userns_useradd
+userns/08_userns_detect_busy_subids
+userns/09_userns_usermod
+userns/10_userns_newusers
+userns/11_userns_newxidmap
+userns/12_userns_selinuxlibs
+userns/13_subordinate_parse_static_buf
+userns/14_fix_getopt
+userns/manpagetypo
+userns/16_add-argument-sanity-checking.patch
+1000_configure_userns

debian/patches/userns/01_userns_doc

@@ -0,0 +1,334 @@
+From ebiederm@xmission.com  Tue Jan 22 09:14:18 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id DAC33C80F4; Tue, 22 Jan 2013 09:14:18 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 274ACC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:14:14 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuB-0006Xm-N5; Tue, 22 Jan 2013 02:12:31 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuA-0005NR-BQ; Tue, 22 Jan 2013 02:12:30 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZu7-0004Pj-Ec; Tue, 22 Jan 2013 02:12:30 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:12:23 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <877gn5shs8.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX18YouPWtKNAX3LovSW2+p/ONbuCHMFEQpM=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 01/11] Documentation for /etc/subuid and /etc/subgid
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2071                                                  
+Status: RO
+Content-Length: 9835
+Lines: 286
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/Makefile.am  |    4 ++
+ man/subgid.5.xml |  120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ man/subuid.5.xml |  120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 244 insertions(+), 0 deletions(-)
+ create mode 100644 man/subgid.5.xml
+ create mode 100644 man/subuid.5.xml
+
+Index: shadow/man/Makefile.am
+===================================================================
+--- shadow.orig/man/Makefile.am	2013-02-01 15:26:14.428082026 -0600
++++ shadow/man/Makefile.am	2013-02-01 15:27:37.000000000 -0600
+@@ -43,6 +43,8 @@
+ 	man5/shadow.5 \
+ 	man1/su.1 \
+ 	man5/suauth.5 \
++	man5/subgid.5 \
++	man5/subuid.5 \
+ 	man8/useradd.8 \
+ 	man8/userdel.8 \
+ 	man8/usermod.8 \
+@@ -94,6 +96,8 @@
+ 	sg.1.xml \
+ 	su.1.xml \
+ 	suauth.5.xml \
++	subgid.5.xml \
++	subuid.5.xml \
+ 	useradd.8.xml \
+ 	userdel.8.xml \
+ 	usermod.8.xml \
+Index: shadow/man/subgid.5.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/subgid.5.xml	2013-02-01 15:26:14.424082026 -0600
+@@ -0,0 +1,120 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++   Copyright (c) 2013 Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
++<!-- SHADOW-CONFIG-HERE -->
++]>
++<refentry id='subgid.5'>
++  <refmeta>
++    <refentrytitle>subgid</refentrytitle>
++    <manvolnum>5</manvolnum>
++    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
++    <refmiscinfo class="source">shadow-utils</refmiscinfo>
++    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>subgid</refname>
++    <refpurpose>the subordinate gid file</refpurpose>
++  </refnamediv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para>
++      Each line in <filename>/etc/subgid</filename> contains
++      a user id and a range of suboridinate user ids that user
++      is allowed to use.
++
++      This is specified with three fields delimited by colons
++      (<quote>:</quote>).
++      These fields are:
++    </para>
++    <itemizedlist mark='bullet'>
++      <listitem>
++	<para>login name</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID count</para>
++      </listitem>
++    </itemizedlist>
++
++    <para>
++      This file specifies the group IDs to be that each user may use
++      with the <command>newgidmap</command> command that ordinary users can use to
++      configure gid mapping in a user namespace.
++    </para>
++
++    <para>
++      Multiple ranges may be specified per user ID.
++    </para>
++
++  </refsect1>
++
++  <refsect1 id='files'>
++    <title>FILES</title>
++    <variablelist>
++      <varlistentry>
++	<term><filename>/etc/subgid</filename></term>
++	<listitem>
++	  <para>Per user subordinate group IDs.</para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term><filename>/etc/subgid-</filename></term>
++	<listitem>
++	  <para>Backup file for /etc/subgid.</para>
++	</listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++	<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++    </para>
++  </refsect1>
++</refentry>
+Index: shadow/man/subuid.5.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/subuid.5.xml	2013-02-01 15:26:14.424082026 -0600
+@@ -0,0 +1,120 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++   Copyright (c) 2013 Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
++<!-- SHADOW-CONFIG-HERE -->
++]>
++<refentry id='subuid.5'>
++  <refmeta>
++    <refentrytitle>subuid</refentrytitle>
++    <manvolnum>5</manvolnum>
++    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
++    <refmiscinfo class="source">shadow-utils</refmiscinfo>
++    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>subuid</refname>
++    <refpurpose>the subordinate uid file</refpurpose>
++  </refnamediv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para>
++      Each line in <filename>/etc/subuid</filename> contains
++      a user id and a range of suboridinate user ids that user
++      is allowed to use.
++
++      This is specified with three fields delimited by colons
++      (<quote>:</quote>).
++      These fields are:
++    </para>
++    <itemizedlist mark='bullet'>
++      <listitem>
++	<para>login name</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID count</para>
++      </listitem>
++    </itemizedlist>
++
++    <para>
++      This file specifies the user IDs to be that each user may use
++      with the <command>newuidmap</command> command that ordinary users can use to
++      configure uid mapping in a user namespace.
++    </para>
++
++    <para>
++      Multiple ranges may be specified per user ID.
++    </para>
++
++  </refsect1>
++
++  <refsect1 id='files'>
++    <title>FILES</title>
++    <variablelist>
++      <varlistentry>
++	<term><filename>/etc/subuid</filename></term>
++	<listitem>
++	  <para>Per user subordinate user IDs.</para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term><filename>/etc/subuid-</filename></term>
++	<listitem>
++	  <para>Backup file for /etc/subuid.</para>
++	</listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++	<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++    </para>
++  </refsect1>
++</refentry>

debian/patches/userns/02_userns_doc_login.defs

@@ -0,0 +1,218 @@
+From ebiederm@xmission.com  Tue Jan 22 09:14:55 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 140DBC80F4; Tue, 22 Jan 2013 09:14:55 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 5D815C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:14:50 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZum-0006il-0f; Tue, 22 Jan 2013 02:13:08 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZul-0004GF-Id; Tue, 22 Jan 2013 02:13:07 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuf-0004T0-MS; Tue, 22 Jan 2013 02:13:07 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:12:58 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <871uddshr9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX19iYyOCEx6dl2v1Ya/KIGpixG5+3MVA1bY=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 02/11] login.defs.5: Document the new variables in login.defs
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2072                                                  
+Status: RO
+Content-Length: 7615
+Lines: 170
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/Makefile.am                    |    2 +
+ man/login.defs.5.xml               |    8 ++++++
+ man/login.defs.d/SUB_GID_COUNT.xml |   46 ++++++++++++++++++++++++++++++++++++
+ man/login.defs.d/SUB_UID_COUNT.xml |   46 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 102 insertions(+), 0 deletions(-)
+ create mode 100644 man/login.defs.d/SUB_GID_COUNT.xml
+ create mode 100644 man/login.defs.d/SUB_UID_COUNT.xml
+
+Index: shadow/man/Makefile.am
+===================================================================
+--- shadow.orig/man/Makefile.am	2013-02-01 15:27:51.048080390 -0600
++++ shadow/man/Makefile.am	2013-02-01 15:27:51.040080390 -0600
+@@ -163,6 +163,8 @@
+ 	USERDEL_CMD.xml \
+ 	USERGROUPS_ENAB.xml \
+ 	USE_TCB.xml \
++	SUB_GID_COUNT.xml \
++	SUB_UID_COUNT.xml \
+ 	SYS_GID_MAX.xml \
+ 	SYS_UID_MAX.xml
+ 
+Index: shadow/man/login.defs.5.xml
+===================================================================
+--- shadow.orig/man/login.defs.5.xml	2013-02-01 15:27:51.048080390 -0600
++++ shadow/man/login.defs.5.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -78,6 +78,8 @@
+ <!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
+ <!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
+ <!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
++<!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
++<!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+ <!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+ <!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
+ <!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+@@ -216,6 +218,8 @@
+       &SULOG_FILE;
+       &SU_NAME;
+       &SU_WHEEL_ONLY;
++      &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
++      &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
+       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
+       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+       &SYSLOG_SG_ENAB;
+@@ -393,6 +397,8 @@
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
++	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
++	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
+ 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+ 	    UMASK
+ 	  </para>
+@@ -470,6 +476,8 @@
+ 	    GID_MAX GID_MIN
+ 	    MAIL_DIR MAX_MEMBERS_PER_GROUP
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
++	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
++	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
+ 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+ 	    UMASK
+ 	    <phrase condition="tcb">TCB_AUTH_GROUP TCB_SYMLINK USE_TCB</phrase>
+Index: shadow/man/login.defs.d/SUB_GID_COUNT.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/login.defs.d/SUB_GID_COUNT.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -0,0 +1,46 @@
++<!--
++   Copyright (c) 2013, Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry>
++  <term><option>SUB_GID_MIN</option> (number)</term>
++  <term><option>SUB_GID_MAX</option> (number)</term>
++  <term><option>SUB_GID_COUNT</option> (number)</term>
++  <listitem>
++    <para>
++      The commands <command>useradd</command> and <command>newusers</command>
++      allocate <option>SUB_GID_COUNT</option> unused group IDs from the range
++      <option>SUB_GID_MIN</option> to <option>SUB_GID_MAX</option> for each
++      new user.
++    </para>
++    <para>
++      The default values for <option>SUB_GID_MAN</option>,
++      <option>SUB_GID_MIN</option>, <option>SUB_GID_COUNT</option>
++      are respectively 100000, 600100000 and 10000.
++    </para>
++  </listitem>
++</varlistentry>
+Index: shadow/man/login.defs.d/SUB_UID_COUNT.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/login.defs.d/SUB_UID_COUNT.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -0,0 +1,46 @@
++<!--
++   Copyright (c) 2013, Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry>
++  <term><option>SUB_UID_MIN</option> (number)</term>
++  <term><option>SUB_UID_MAX</option> (number)</term>
++  <term><option>SUB_UID_COUNT</option> (number)</term>
++  <listitem>
++    <para>
++      The commands <command>useradd</command> and <command>newusers</command>
++      allocate <option>SUB_UID_COUNT</option> unused user IDs from the range
++      <option>SUB_UID_MIN</option> to <option>SUB_UID_MAX</option> for each
++      new user.
++    </para>
++    <para>
++      The default values for <option>SUB_GID_MAN</option>,
++      <option>SUB_GID_MIN</option>, <option>SUB_GID_COUNT</option>
++      are respectively 100000, 600100000 and 10000.
++    </para>
++  </listitem>
++</varlistentry>

debian/patches/userns/03_userns_implement_commonio_append

@@ -0,0 +1,110 @@
+From ebiederm@xmission.com  Tue Jan 22 09:15:19 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id CAFA8C80F6; Tue, 22 Jan 2013 09:15:19 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 43FAEC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:15:15 +0000 (UTC)
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZvA-0006sA-Pq; Tue, 22 Jan 2013 02:13:32 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZv8-0004VI-Fi; Tue, 22 Jan 2013 02:13:32 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:13:26 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87vcapr361.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1++0A/mQBimfZkeNedO095IfnCYGQfIolI=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 03/11] Implement commonio_append.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2073                                                  
+Status: RO
+Content-Length: 1874
+Lines: 65
+
+
+To support files that do not have a simple unique key implement
+commonio_append to allow new entries to be added.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ lib/commonio.c |   30 ++++++++++++++++++++++++++++++
+ lib/commonio.h |    1 +
+ 2 files changed, 31 insertions(+), 0 deletions(-)
+
+Index: shadow/lib/commonio.c
+===================================================================
+--- shadow.orig/lib/commonio.c	2013-02-01 15:27:51.376080384 -0600
++++ shadow/lib/commonio.c	2013-02-01 15:27:51.368080384 -0600
+@@ -1121,6 +1121,36 @@
+ 	return 1;
+ }
+ 
++int commonio_append (struct commonio_db *db, const void *eptr)
++{
++	struct commonio_entry *p;
++	void *nentry;
++
++	if (!db->isopen || db->readonly) {
++		errno = EINVAL;
++		return 0;
++	}
++	nentry = db->ops->dup (eptr);
++	if (NULL == nentry) {
++		errno = ENOMEM;
++		return 0;
++	}
++	/* new entry */
++	p = (struct commonio_entry *) malloc (sizeof *p);
++	if (NULL == p) {
++		db->ops->free (nentry);
++		errno = ENOMEM;
++		return 0;
++	}
++
++	p->eptr = nentry;
++	p->line = NULL;
++	p->changed = true;
++	add_one_entry (db, p);
++
++	db->changed = true;
++	return 1;
++}
+ 
+ void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
+ {
+Index: shadow/lib/commonio.h
+===================================================================
+--- shadow.orig/lib/commonio.h	2013-02-01 15:27:51.376080384 -0600
++++ shadow/lib/commonio.h	2013-02-01 15:27:51.368080384 -0600
+@@ -146,6 +146,7 @@
+ extern int commonio_open (struct commonio_db *, int);
+ extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
+ extern int commonio_update (struct commonio_db *, const void *);
++extern int commonio_append (struct commonio_db *, const void *);
+ extern int commonio_remove (struct commonio_db *, const char *);
+ extern int commonio_rewind (struct commonio_db *);
+ extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);

debian/patches/userns/04_userns_add_backend_support

@@ -0,0 +1,685 @@
+From ebiederm@xmission.com  Tue Jan 22 09:16:29 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id AF9A9C80F4; Tue, 22 Jan 2013 09:16:29 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id EDF70C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:16:24 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwI-0007HS-Mn; Tue, 22 Jan 2013 02:14:42 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwI-0005wP-8E; Tue, 22 Jan 2013 02:14:42 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwE-0004bA-Mv; Tue, 22 Jan 2013 02:14:42 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:14:35 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87liblr344.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/3QOlmT6VsAuzQbs/RJ/nb1IrpO++QYVA=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 04/11] Add backend support for suboridnate uids and gids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2074                                                  
+Status: RO
+X-Status: A
+Content-Length: 15967
+Lines: 636
+
+
+These files list the set of subordinate uids and gids that users are allowed
+to use.   The expect use case is with the user namespace but other uses are
+allowed.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ etc/login.defs      |    8 +
+ lib/Makefile.am     |    2 +
+ lib/getdef.c        |    6 +
+ lib/subordinateio.c |  512 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/subordinateio.h |   38 ++++
+ 5 files changed, 566 insertions(+), 0 deletions(-)
+ create mode 100644 lib/subordinateio.c
+ create mode 100644 lib/subordinateio.h
+
+Index: shadow/etc/login.defs
+===================================================================
+--- shadow.orig/etc/login.defs	2013-02-01 15:27:51.684080379 -0600
++++ shadow/etc/login.defs	2013-02-01 15:27:51.676080379 -0600
+@@ -226,6 +226,10 @@
+ # System accounts
+ SYS_UID_MIN		  101
+ SYS_UID_MAX		  999
++# Extra per user uids
++SUB_UID_MIN		   100000
++SUB_UID_MAX		600100000
++SUB_UID_COUNT		    10000
+ 
+ #
+ # Min/max values for automatic gid selection in groupadd
+@@ -235,6 +239,10 @@
+ # System accounts
+ SYS_GID_MIN		  101
+ SYS_GID_MAX		  999
++# Extra per user group ids
++SUB_GID_MIN		   100000
++SUB_GID_MAX		600100000
++SUB_GID_COUNT		    10000
+ 
+ #
+ # Max number of login retries if password is bad
+Index: shadow/lib/Makefile.am
+===================================================================
+--- shadow.orig/lib/Makefile.am	2013-02-01 15:27:51.684080379 -0600
++++ shadow/lib/Makefile.am	2013-02-01 15:27:51.676080379 -0600
+@@ -39,6 +39,8 @@
+ 	pwio.c \
+ 	pwio.h \
+ 	pwmem.c \
++	subordinateio.h \
++	subordinateio.c \
+ 	selinux.c \
+ 	semanage.c \
+ 	sgetgrent.c \
+Index: shadow/lib/getdef.c
+===================================================================
+--- shadow.orig/lib/getdef.c	2013-02-01 15:27:51.684080379 -0600
++++ shadow/lib/getdef.c	2013-02-01 15:27:51.680080379 -0600
+@@ -82,6 +82,12 @@
+ 	{"SHA_CRYPT_MAX_ROUNDS", NULL},
+ 	{"SHA_CRYPT_MIN_ROUNDS", NULL},
+ #endif
++	{"SUB_GID_COUNT", NULL},
++	{"SUB_GID_MAX", NULL},
++	{"SUB_GID_MIN", NULL},
++	{"SUB_UID_COUNT", NULL},
++	{"SUB_UID_MAX", NULL},
++	{"SUB_UID_MIN", NULL},
+ 	{"SULOG_FILE", NULL},
+ 	{"SU_NAME", NULL},
+ 	{"SYS_GID_MAX", NULL},
+Index: shadow/lib/subordinateio.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/lib/subordinateio.c	2013-02-01 15:27:51.680080379 -0600
+@@ -0,0 +1,512 @@
++/*
++ * Copyright (c) 2012 - Eric Biederman
++ */
++
++#include <config.h>
++#include "prototypes.h"
++#include "defines.h"
++#include <stdio.h>
++#include "commonio.h"
++#include "subordinateio.h"
++
++struct subordinate_range {
++	const char *owner;
++	unsigned long start;
++	unsigned long count;
++};
++
++#define NFIELDS 3
++
++static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent)
++{
++	const struct subordinate_range *rangeent = ent;
++	struct subordinate_range *range;
++
++	range = (struct subordinate_range *) malloc (sizeof *range);
++	if (NULL == range) {
++		return NULL;
++	}
++	range->owner = strdup (rangeent->owner);
++	if (NULL == range->owner) {
++		free(range);
++		return NULL;
++	}
++	range->start = rangeent->start;
++	range->count = rangeent->count;
++
++	return range;
++}
++
++static void subordinate_free (/*@out@*/ /*@only@*/void *ent)
++{
++	struct subordinate_range *rangeent = ent;
++	
++	free ((void *)(rangeent->owner));
++	free (rangeent);
++}
++
++static void *subordinate_parse (const char *line)
++{
++	static struct subordinate_range range;
++	char rangebuf[1024];
++	int i;
++	char *cp;
++	char *fields[NFIELDS];
++
++	/*
++	 * Copy the string to a temporary buffer so the substrings can
++	 * be modified to be NULL terminated.
++	 */
++	if (strlen (line) >= sizeof rangebuf)
++		return NULL;	/* fail if too long */
++	strcpy (rangebuf, line);
++
++	/*
++	 * Save a pointer to the start of each colon separated
++	 * field.  The fields are converted into NUL terminated strings.
++	 */
++
++	for (cp = rangebuf, i = 0; (i < NFIELDS) && (NULL != cp); i++) {
++		fields[i] = cp;
++		while (('\0' != *cp) && (':' != *cp)) {
++			cp++;
++		}
++
++		if ('\0' != *cp) {
++			*cp = '\0';
++			cp++;
++		} else {
++			cp = NULL;
++		}
++	}
++
++	/*
++	 * There must be exactly NFIELDS colon separated fields or
++	 * the entry is invalid.  Also, fields must be non-blank.
++	 */
++	if (i != NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0')
++		return NULL;
++	range.owner = fields[0];
++	if (getulong (fields[1], &range.start) == 0)
++		return NULL;
++	if (getulong (fields[2], &range.count) == 0)
++		return NULL;
++
++	return &range;
++}
++
++static int subordinate_put (const void *ent, FILE * file)
++{
++	const struct subordinate_range *range = ent;
++
++	return fprintf(file, "%s:%lu:%lu\n",
++			       range->owner,
++			       range->start,
++			       range->count) < 0 ? -1  : 0;
++}
++
++static struct commonio_ops subordinate_ops = {
++	subordinate_dup,	/* dup */
++	subordinate_free,	/* free */
++	NULL,			/* getname */
++	subordinate_parse,	/* parse */
++	subordinate_put,	/* put */
++	fgets,			/* fgets */
++	fputs,			/* fputs */
++	NULL,			/* open_hook */
++	NULL,			/* close_hook */
++};
++
++static /*@observer@*/ /*@null*/const struct subordinate_range *subordinate_next(struct commonio_db *db)
++{
++	commonio_next (db);
++}
++
++static bool is_range_free(struct commonio_db *db, unsigned long start,
++			  unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long end = start + count - 1;
++
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if ((end >= first) && (start <= last))
++			return false;
++	}
++	return true;
++}
++
++static const bool range_exists(struct commonio_db *db, const char *owner)
++{
++	const struct subordinate_range *range;
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if (0 == strcmp(range->owner, owner))
++			return true;
++	}
++	return false;
++}
++
++static const struct subordinate_range *find_range(struct commonio_db *db,
++						  const char *owner, unsigned long val)
++{
++	const struct subordinate_range *range;
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if (0 != strcmp(range->owner, owner))
++			continue;
++
++		if ((val >= first) && (val <= last))
++			return range;
++	}
++	return NULL;
++}
++
++static bool have_range(struct commonio_db *db,
++		       const char *owner, unsigned long start, unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long end;
++
++	if (count == 0)
++		return false;
++
++	end = start + count - 1;
++	range = find_range (db, owner, start);
++	while (range) {
++		unsigned long last; 
++
++		last = range->start + range->count - 1;
++		if (last >= (start + count - 1))
++			return true;
++
++		count = end - last;
++		start = last + 1;
++		range = find_range(db, owner, start);
++	}
++	return false;
++}
++
++static int subordinate_range_cmp (const void *p1, const void *p2)
++{
++	struct subordinate_range *range1, *range2;
++
++	if ((*(struct commonio_entry **) p1)->eptr == NULL)
++		return 1;
++	if ((*(struct commonio_entry **) p2)->eptr == NULL)
++		return -1;
++
++	range1 = ((struct subordinate_range *) (*(struct commonio_entry **) p1)->eptr);
++	range2 = ((struct subordinate_range *) (*(struct commonio_entry **) p2)->eptr);
++
++	if (range1->start < range2->start)
++		return -1;
++	else if (range1->start > range2->start)
++		return 1;
++	else if (range1->count < range2->count)
++		return -1;
++	else if (range1->count > range2->count)
++		return 1;
++	else
++		return strcmp(range1->owner, range2->owner);
++}
++
++static unsigned long find_free_range(struct commonio_db *db,
++				     unsigned long min, unsigned long max,
++				     unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long low, high;
++
++	/* When given invalid parameters fail */
++	if ((count == 0) || (max <= min))
++		goto fail;
++
++	/* Sort by range than by owner */
++	commonio_sort (db, subordinate_range_cmp);
++	commonio_rewind(db);
++
++	low = min;
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		/* Find the top end of the hole before this range */
++		high = first;
++		if (high > max)
++			high = max;
++
++		/* Is the hole before this range large enough? */
++		if ((high > low) && (((high - low) + 1) >= count))
++			return low;
++
++		/* Compute the low end of the next hole */
++		if (low < (last + 1))
++			low = last + 1;
++		if (low > max)
++			goto fail;
++	}
++
++	/* Is the remaining unclaimed area large enough? */
++	if (((max - low) + 1) >= count)
++		return low;
++fail:
++	return ULONG_MAX;
++}
++
++static int add_range(struct commonio_db *db,
++	const char *owner, unsigned long start, unsigned long count)
++{
++	struct subordinate_range range;
++	range.owner = owner;
++	range.start = start;
++	range.count = count;
++
++	/* See if the range is already present */
++	if (have_range(db, owner, start, count))
++		return 1;
++
++	/* Oterwise append the range */
++	return commonio_append(db, &range);
++}
++
++static int remove_range(struct commonio_db *db,
++	const char *owner, unsigned long start, unsigned long count)
++{
++	struct commonio_entry *ent;
++	unsigned long end;
++
++	if (count == 0)
++		return 1;
++
++	end = start + count - 1;
++	for (ent = db->head; ent; ent = ent->next) {
++		struct subordinate_range *range = ent->eptr;
++		unsigned long first;
++		unsigned long last;
++
++		/* Skip unparsed entries */
++		if (!range)
++			continue;
++
++		first = range->start;
++		last = first + range->count - 1;
++
++		/* Skip entries with a different owner */
++		if (0 != strcmp(range->owner, owner))
++			continue;
++
++		/* Skip entries outside of the range to remove */
++		if ((end < first) || (start > last))
++			continue;
++
++		/* Is entry completely contained in the range to remove? */
++		if ((start <= first) && (end >= last)) {
++			commonio_del_entry (db, ent);
++		} 
++		/* Is just the start of the entry removed? */
++		else if ((start <= first) && (end < last)) {
++			range->start = end + 1;
++			range->count = (last - range->start) + 1;
++
++			ent->changed = true;
++		}
++		/* Is just the end of the entry removed? */
++		else if ((start > first) && (end >= last)) {
++			range->count = (start - range->start) + 1;
++
++			ent->changed = true;
++		}
++		/* The middle of the range is removed */
++		else {
++			struct subordinate_range tail;
++			tail.owner = range->owner;
++			tail.start = end + 1;
++			tail.count = (last - tail.start) + 1;
++
++			if (!commonio_append(db, &tail))
++				return 0;
++
++			range->count = (start - range->start) + 1;
++
++			ent->changed = true;
++		}
++	}
++
++	return 1;
++}
++
++static struct commonio_db subordinate_uid_db = {
++	"/etc/subuid",		/* filename */
++	&subordinate_ops,	/* ops */
++	NULL,			/* fp */
++#ifdef WITH_SELINUX
++	NULL,			/* scontext */
++#endif
++	NULL,			/* head */
++	NULL,			/* tail */
++	NULL,			/* cursor */
++	false,			/* changed */
++	false,			/* isopen */
++	false,			/* locked */
++	false			/* readonly */
++};
++
++int sub_uid_setdbname (const char *filename)
++{
++	return commonio_setname (&subordinate_uid_db, filename);
++}
++
++/*@observer@*/const char *sub_uid_dbname (void)
++{
++	return subordinate_uid_db.filename;
++}
++
++bool sub_uid_file_present (void)
++{
++	return commonio_present (&subordinate_uid_db);
++}
++
++int sub_uid_lock (void)
++{
++	return commonio_lock (&subordinate_uid_db);
++}
++
++int sub_uid_open (int mode)
++{
++	return commonio_open (&subordinate_uid_db, mode);
++}
++
++bool is_sub_uid_range_free(uid_t start, unsigned long count)
++{
++	return is_range_free (&subordinate_uid_db, start, count);
++}
++
++bool sub_uid_assigned(const char *owner)
++{
++	return range_exists (&subordinate_uid_db, owner);
++}
++
++bool have_sub_uids(const char *owner, uid_t start, unsigned long count)
++{
++	return have_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_add (const char *owner, uid_t start, unsigned long count)
++{
++	return add_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_remove (const char *owner, uid_t start, unsigned long count)
++{
++	return remove_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_close (void)
++{
++	return commonio_close (&subordinate_uid_db);
++}
++
++int sub_uid_unlock (void)
++{
++	return commonio_unlock (&subordinate_uid_db);
++}
++
++uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count)
++{
++	unsigned long start;
++	start = find_free_range (&subordinate_uid_db, min, max, count);
++	return start == ULONG_MAX ? (uid_t) -1 : start;
++}
++
++static struct commonio_db subordinate_gid_db = {
++	"/etc/subgid",		/* filename */
++	&subordinate_ops,	/* ops */
++	NULL,			/* fp */
++#ifdef WITH_SELINUX
++	NULL,			/* scontext */
++#endif
++	NULL,			/* head */
++	NULL,			/* tail */
++	NULL,			/* cursor */
++	false,			/* changed */
++	false,			/* isopen */
++	false,			/* locked */
++	false			/* readonly */
++};
++
++int sub_gid_setdbname (const char *filename)
++{
++	return commonio_setname (&subordinate_gid_db, filename);
++}
++
++/*@observer@*/const char *sub_gid_dbname (void)
++{
++	return subordinate_gid_db.filename;
++}
++
++bool sub_gid_file_present (void)
++{
++	return commonio_present (&subordinate_gid_db);
++}
++
++int sub_gid_lock (void)
++{
++	return commonio_lock (&subordinate_gid_db);
++}
++
++int sub_gid_open (int mode)
++{
++	return commonio_open (&subordinate_gid_db, mode);
++}
++
++bool is_sub_gid_range_free(gid_t start, unsigned long count)
++{
++	return is_range_free (&subordinate_gid_db, start, count);
++}
++
++bool have_sub_gids(const char *owner, gid_t start, unsigned long count)
++{
++	return have_range(&subordinate_gid_db, owner, start, count);
++}
++
++bool sub_gid_assigned(const char *owner)
++{
++	return range_exists (&subordinate_gid_db, owner);
++}
++
++int sub_gid_add (const char *owner, gid_t start, unsigned long count)
++{
++	return add_range (&subordinate_gid_db, owner, start, count);
++}
++
++int sub_gid_remove (const char *owner, gid_t start, unsigned long count)
++{
++	return remove_range (&subordinate_gid_db, owner, start, count);
++}
++
++int sub_gid_close (void)
++{
++	return commonio_close (&subordinate_gid_db);
++}
++
++int sub_gid_unlock (void)
++{
++	return commonio_unlock (&subordinate_gid_db);
++}
++
++gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
++{
++	unsigned long start;
++	start = find_free_range (&subordinate_gid_db, min, max, count);
++	return start == ULONG_MAX ? (gid_t) -1 : start;
++}
+Index: shadow/lib/subordinateio.h
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/lib/subordinateio.h	2013-02-01 15:27:51.680080379 -0600
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (c) 2012- Eric W. Biederman
++ */
++
++#ifndef _SUBORDINATEIO_H
++#define _SUBORDINATEIO_H
++
++#include <sys/types.h>
++
++extern int sub_uid_close(void);
++extern bool is_sub_uid_range_free(uid_t start, unsigned long count);
++extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
++extern bool sub_uid_file_present (void);
++extern bool sub_uid_assigned(const char *owner);
++extern int sub_uid_lock (void);
++extern int sub_uid_setdbname (const char *filename);
++extern /*@observer@*/const char *sub_uid_dbname (void);
++extern int sub_uid_open (int mode);
++extern int sub_uid_unlock (void);
++extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
++extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
++extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
++
++extern int sub_gid_close(void);
++extern bool is_sub_gid_range_free(gid_t start, unsigned long count);
++extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
++extern bool sub_gid_file_present (void);
++extern bool sub_gid_assigned(const char *owner);
++extern int sub_gid_lock (void);
++extern int sub_gid_setdbname (const char *filename);
++extern /*@observer@*/const char *sub_gid_dbname (void);
++extern int sub_gid_open (int mode);
++extern int sub_gid_unlock (void);
++extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
++extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
++extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
++
++#endif

debian/patches/userns/05_userns_implemend_find_new_sub_xids

@@ -0,0 +1,283 @@
+From ebiederm@xmission.com  Tue Jan 22 09:17:02 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 480ABC80F4; Tue, 22 Jan 2013 09:17:02 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 90ACFC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:16:57 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwp-0007cg-9X; Tue, 22 Jan 2013 02:15:15 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwo-0006DN-OT; Tue, 22 Jan 2013 02:15:14 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwj-0004g0-9e; Tue, 22 Jan 2013 02:15:14 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:15:05 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87fw1tr33a.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX19KHX5xUOkaLY5iIEqDVLxZKDTByyA0Xk8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 05/11] Implement find_new_sub_uids find_new_sub_gids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2075                                                  
+Status: RO
+Content-Length: 8108
+Lines: 235
+
+
+Functions for finding new subordinate uid and gids ranges for use
+with useradd.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ lib/prototypes.h            |    9 ++++
+ libmisc/Makefile.am         |    2 +
+ libmisc/find_new_sub_gids.c |   87 +++++++++++++++++++++++++++++++++++++++++++
+ libmisc/find_new_sub_uids.c |   87 +++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 185 insertions(+), 0 deletions(-)
+ create mode 100644 libmisc/find_new_sub_gids.c
+ create mode 100644 libmisc/find_new_sub_uids.c
+
+Index: shadow/lib/prototypes.h
+===================================================================
+--- shadow.orig/lib/prototypes.h	2013-02-01 15:27:52.044080373 -0600
++++ shadow/lib/prototypes.h	2013-02-01 15:27:52.040080373 -0600
+@@ -149,6 +149,15 @@
+                          uid_t *uid,
+                          /*@null@*/uid_t const *preferred_uid);
+ 
++/* find_new_sub_gids.c */
++extern int find_new_sub_gids (const char *owner,
++			      gid_t *range_start, unsigned long *range_count);
++
++/* find_new_sub_uids.c */
++extern int find_new_sub_uids (const char *owner,
++			      uid_t *range_start, unsigned long *range_count);
++
++
+ /* get_gid.c */
+ extern int get_gid (const char *gidstr, gid_t *gid);
+ 
+Index: shadow/libmisc/Makefile.am
+===================================================================
+--- shadow.orig/libmisc/Makefile.am	2013-02-01 15:27:52.044080373 -0600
++++ shadow/libmisc/Makefile.am	2013-02-01 15:27:52.040080373 -0600
+@@ -25,6 +25,8 @@
+ 	failure.h \
+ 	find_new_gid.c \
+ 	find_new_uid.c \
++	find_new_sub_gids.c \
++	find_new_sub_uids.c \
+ 	getdate.h \
+ 	getdate.y \
+ 	getgr_nam_gid.c \
+Index: shadow/libmisc/find_new_sub_gids.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/libmisc/find_new_sub_gids.c	2013-02-01 15:27:52.040080373 -0600
+@@ -0,0 +1,87 @@
++/*
++ * Copyright (c) 2012 Eric Biederman
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the copyright holders or contributors may not be used to
++ *    endorse or promote products derived from this software without
++ *    specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#include <assert.h>
++#include <stdio.h>
++#include <errno.h>
++
++#include "prototypes.h"
++#include "subordinateio.h"
++#include "getdef.h"
++
++/*
++ * find_new_sub_gids - Find a new unused range of GIDs.
++ *
++ * If successful, find_new_sub_gids provides a range of unused
++ * user IDs in the [SUB_GID_MIN:SUB_GID_MAX] range.
++ * 
++ * Return 0 on success, -1 if no unused GIDs are available.
++ */
++int find_new_sub_gids (const char *owner,
++		       gid_t *range_start, unsigned long *range_count)
++{
++	unsigned long min, max;
++	unsigned long count;
++	gid_t start;
++
++	assert (range_start != NULL);
++	assert (range_count != NULL);
++
++	min = getdef_ulong ("SUB_GID_MIN", 100000UL);
++	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
++	count = getdef_ulong ("SUB_GID_COUNT", 10000);
++
++	/* Is there a preferred range that works? */
++	if ((*range_count != 0) &&
++	    (*range_start >= min) &&
++	    (((*range_start) + (*range_count) - 1) <= max) &&
++	    is_sub_gid_range_free(*range_start, *range_count)) {
++		return 0;
++	}
++
++	if (max < (min + count)) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_GID_MIN (%lu), SUB_GID_MAX (%lu)\n"),
++			Prog, min, max);
++		return -1;
++	}
++	start = sub_gid_find_free_range(min, max, count);
++	if (start == (gid_t)-1) {
++		fprintf (stderr,
++		         _("%s: Can't get unique secondary GID range\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN, "no more available secondary GIDs on the system"));
++		return -1;
++	}
++	*range_start = start;
++	*range_count = count;
++	return 0;
++}
++
+Index: shadow/libmisc/find_new_sub_uids.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/libmisc/find_new_sub_uids.c	2013-02-01 15:27:52.040080373 -0600
+@@ -0,0 +1,87 @@
++/*
++ * Copyright (c) 2012 Eric Biederman
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the copyright holders or contributors may not be used to
++ *    endorse or promote products derived from this software without
++ *    specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#include <assert.h>
++#include <stdio.h>
++#include <errno.h>
++
++#include "prototypes.h"
++#include "subordinateio.h"
++#include "getdef.h"
++
++/*
++ * find_new_sub_uids - Find a new unused range of UIDs.
++ *
++ * If successful, find_new_sub_uids provides a range of unused
++ * user IDs in the [SUB_UID_MIN:SUB_UID_MAX] range.
++ * 
++ * Return 0 on success, -1 if no unused UIDs are available.
++ */
++int find_new_sub_uids (const char *owner,
++		       uid_t *range_start, unsigned long *range_count)
++{
++	unsigned long min, max;
++	unsigned long count;
++	uid_t start;
++
++	assert (range_start != NULL);
++	assert (range_count != NULL);
++
++	min = getdef_ulong ("SUB_UID_MIN", 100000UL);
++	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
++	count = getdef_ulong ("SUB_UID_COUNT", 10000);
++
++	/* Is there a preferred range that works? */
++	if ((*range_count != 0) &&
++	    (*range_start >= min) &&
++	    (((*range_start) + (*range_count) - 1) <= max) &&
++	    is_sub_uid_range_free(*range_start, *range_count)) {
++		return 0;
++	}
++
++	if (max < (min + count)) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_UID_MIN (%lu), SUB_UID_MAX (%lu)\n"),
++			Prog, min, max);
++		return -1;
++	}
++	start = sub_uid_find_free_range(min, max, count);
++	if (start == (uid_t)-1) {
++		fprintf (stderr,
++		         _("%s: Can't get unique secondary UID range\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN, "no more available secondary UIDs on the system"));
++		return -1;
++	}
++	*range_start = start;
++	*range_count = count;
++	return 0;
++}
++

debian/patches/userns/06_userns_userdel

@@ -0,0 +1,236 @@
+From ebiederm@xmission.com  Tue Jan 22 09:18:47 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id F2E6AC80F6; Tue, 22 Jan 2013 09:18:46 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 996B1C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:18:42 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyW-0008Bi-3X; Tue, 22 Jan 2013 02:17:00 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyU-0005NA-Qm; Tue, 22 Jan 2013 02:16:59 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyQ-0004qs-T1; Tue, 22 Jan 2013 02:16:58 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:16:51 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <878v7lr30c.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/1l7dElNy9uNLAXx8eC28OMs/pxPM8NEo=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 06/11] userdel: Add support for removing subordinate user and group ids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2076                                        
+Status: O
+Content-Length: 5573
+Lines: 186
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/userdel.c |  115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 115 insertions(+), 0 deletions(-)
+
+Index: shadow/src/userdel.c
+===================================================================
+--- shadow.orig/src/userdel.c	2013-02-01 15:27:52.380080367 -0600
++++ shadow/src/userdel.c	2013-02-01 15:27:52.372080367 -0600
+@@ -65,6 +65,7 @@
+ #endif				/* WITH_TCB */
+ /*@-exitarg@*/
+ #include "exitcodes.h"
++#include "subordinateio.h"
+ 
+ /*
+  * exit status values
+@@ -75,6 +76,8 @@
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't remove home directory */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ 
+ /*
+  * Global variables
+@@ -96,9 +99,13 @@
+ static bool is_shadow_grp;
+ static bool sgr_locked = false;
+ #endif				/* SHADOWGRP */
++static bool is_sub_uid;
++static bool is_sub_gid;
+ static bool pw_locked  = false;
+ static bool gr_locked   = false;
+ static bool spw_locked  = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ /* local function prototypes */
+ static void usage (int status);
+@@ -437,6 +444,34 @@
+ 		sgr_locked = false;
+ 	}
+ #endif				/* SHADOWGRP */
++
++	if (is_sub_uid) {
++		if (sub_uid_close () == 0) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++
++	if (is_sub_gid) {
++		if (sub_gid_close () == 0) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ /*
+@@ -474,6 +509,20 @@
+ 		}
+ 	}
+ #endif				/* SHADOWGRP */
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_DEL_USER, Prog,
+@@ -595,6 +644,58 @@
+ 		}
+ 	}
+ #endif				/* SHADOWGRP */
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++				_("%s: cannot lock %s; try again later.\n"),
++				Prog, sub_uid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"locking subordinate user file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++				_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"opening subordinate user file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++				_("%s: cannot lock %s; try again later.\n"),
++				Prog, sub_gid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"locking subordinate group file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++				_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"opening subordinate group file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ /*
+@@ -619,6 +720,18 @@
+ 		         Prog, user_name, spw_dbname ());
+ 		fail_exit (E_PW_UPDATE);
+ 	}
++	if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
++		fprintf (stderr,
++			_("%s: cannot remove entry %lu from %s\n"),
++			Prog, (unsigned long)user_id, sub_uid_dbname ());
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid && sub_gid_remove(user_name, 0, ULONG_MAX) == 0) {
++		fprintf (stderr,
++			_("%s: cannot remove entry %lu from %s\n"),
++			Prog, (unsigned long)user_id, sub_gid_dbname ());
++		fail_exit (E_SUB_GID_UPDATE);
++	}
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_DEL_USER, Prog,
+ 	              "deleting user entries",
+@@ -966,6 +1079,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif				/* SHADOWGRP */
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	/*
+ 	 * Start with a quick check to see if the user exists.

debian/patches/userns/07_userns_useradd

@@ -0,0 +1,285 @@
+From ebiederm@xmission.com  Tue Jan 22 09:19:29 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 61652C80DB; Tue, 22 Jan 2013 09:19:29 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id E0ABBC80F4
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:19:23 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzB-0008QG-Kq; Tue, 22 Jan 2013 02:17:41 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZz7-0005Ui-1H; Tue, 22 Jan 2013 02:17:37 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZz4-0004tF-BP; Tue, 22 Jan 2013 02:17:36 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:17:30 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <8738xtr2z9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/Jm5H2PcjgcLXEyKh9YL3DVs2WZBJhDB8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 07/11] useradd: Add support for subordinate user identifiers
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2077                                                  
+Status: RO
+Content-Length: 6886
+Lines: 235
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/useradd.c |  141 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 140 insertions(+), 1 deletions(-)
+
+Index: shadow/src/useradd.c
+===================================================================
+--- shadow.orig/src/useradd.c	2013-02-01 15:27:52.668080362 -0600
++++ shadow/src/useradd.c	2013-02-01 15:27:52.660080362 -0600
+@@ -65,6 +65,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif
+@@ -121,12 +122,20 @@
+ static bool is_shadow_grp;
+ static bool sgr_locked = false;
+ #endif
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+ static bool spw_locked = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ static char **user_groups;	/* NULL-terminated list */
+ static long sys_ngroups;
+ static bool do_grp_update = false;	/* group files need to be updated */
++static uid_t sub_uid_start;	/* New subordinate uid range */
++static unsigned long sub_uid_count;
++static gid_t sub_gid_start;	/* New subordinate gid range */
++static unsigned long sub_gid_count;
+ 
+ static bool
+     bflg = false,		/* new default root of home directory */
+@@ -168,6 +177,8 @@
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ 
+ #define DGROUP			"GROUP="
+ #define DHOME			"HOME="
+@@ -268,6 +279,32 @@
+ 		}
+ 	}
+ #endif
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking subodinate user file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking subodinate group file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_ADD_USER, Prog,
+@@ -1379,6 +1416,18 @@
+ 		}
+ #endif
+ 	}
++	if (is_sub_uid  && (sub_uid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid  && (sub_gid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++		fail_exit (E_SUB_GID_UPDATE);
++	}
+ 	if (is_shadow_pwd) {
+ 		if (spw_unlock () == 0) {
+ 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
+@@ -1433,6 +1482,34 @@
+ 		sgr_locked = false;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++				"unlocking subordinate user file",
++				user_name, AUDIT_NO_ID,
++				SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++				"unlocking subordinate group file",
++				user_name, AUDIT_NO_ID,
++				SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ /*
+@@ -1487,6 +1564,36 @@
+ 		}
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ static void open_shadow (void)
+@@ -1733,13 +1840,27 @@
+ #endif
+ 		fail_exit (E_PW_UPDATE);
+ 	}
++	if (is_sub_uid &&
++	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
++		fprintf (stderr,
++		         _("%s: failed to prepare the new %s entry\n"),
++		         Prog, sub_uid_dbname ());
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid &&
++	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
++		fprintf (stderr,
++		         _("%s: failed to prepare the new %s entry\n"),
++		         Prog, sub_uid_dbname ());
++		fail_exit (E_SUB_GID_UPDATE);
++	}
++
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_ADD_USER, Prog,
+ 	              "adding user",
+ 	              user_name, (unsigned int) user_id,
+ 	              SHADOW_AUDIT_SUCCESS);
+ #endif
+-
+ 	/*
+ 	 * Do any group file updates for this user.
+ 	 */
+@@ -1885,6 +2006,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	get_defaults ();
+ 
+@@ -2035,6 +2158,22 @@
+ 		grp_add ();
+ 	}
+ 
++	if (is_sub_uid) {
++		if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
++			fprintf (stderr,
++				_("%s: can't find subordinate user range\n"),
++				Prog);
++			fail_exit(E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
++			fprintf (stderr,
++				_("%s: can't find subordinate group range\n"),
++				Prog);
++			fail_exit(E_SUB_GID_UPDATE);
++		}
++	}
+ 	usr_update ();
+ 
+ 	if (mflg) {

debian/patches/userns/08_userns_detect_busy_subids

@@ -0,0 +1,133 @@
+From ebiederm@xmission.com  Tue Jan 22 09:19:49 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id E0EA3C80F4; Tue, 22 Jan 2013 09:19:49 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=-2.2 required=8.0 tests=BAD_ENC_HEADER,BAYES_00,
+	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 1A2C7C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:19:46 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzX-00006D-G7; Tue, 22 Jan 2013 02:18:03 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzV-0005Zh-Qq; Tue, 22 Jan 2013 02:18:02 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzN-0004ul-H6; Tue, 22 Jan 2013 02:18:01 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:17:50 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87y5flpoe9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/ZWJZMWIVV2ekPIrRQjHLl4Oh/kdyWJUw=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 08/11] Add support for detecting busy subordinate user ids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2078                                        
+Status: RO
+Content-Length: 2655
+Lines: 83
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ libmisc/user_busy.c |   18 +++++++++++++-----
+ 1 files changed, 13 insertions(+), 5 deletions(-)
+
+Index: shadow/libmisc/user_busy.c
+===================================================================
+--- shadow.orig/libmisc/user_busy.c	2013-02-01 15:27:52.952080357 -0600
++++ shadow/libmisc/user_busy.c	2013-02-01 15:27:52.948080357 -0600
+@@ -38,11 +38,13 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <dirent.h>
++#include <fcntl.h>
+ #include "defines.h"
+ #include "prototypes.h"
++#include "subordinateio.h"
+ 
+ #ifdef __linux__
+-static int check_status (const char *sname, uid_t uid);
++static int check_status (const char *name, const char *sname, uid_t uid);
+ static int user_busy_processes (const char *name, uid_t uid);
+ #else				/* !__linux__ */
+ static int user_busy_utmp (const char *name);
+@@ -102,7 +104,7 @@
+ #endif				/* !__linux__ */
+ 
+ #ifdef __linux__
+-static int check_status (const char *sname, uid_t uid)
++static int check_status (const char *name, const char *sname, uid_t uid)
+ {
+ 	/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
+ 	char status[40];
+@@ -125,7 +127,10 @@
+ 			            &ruid, &euid, &suid) == 3) {
+ 				if (   (ruid == (unsigned long) uid)
+ 				    || (euid == (unsigned long) uid)
+-				    || (suid == (unsigned long) uid)) {
++				    || (suid == (unsigned long) uid)
++				    || have_sub_uids(name, ruid, 1)
++				    || have_sub_uids(name, euid, 1)
++				    || have_sub_uids(name, suid, 1)) {
+ 					(void) fclose (sfile);
+ 					return 1;
+ 				}
+@@ -153,6 +158,8 @@
+ 	struct stat sbroot;
+ 	struct stat sbroot_process;
+ 
++	sub_uid_open (O_RDONLY);
++
+ 	proc = opendir ("/proc");
+ 	if (proc == NULL) {
+ 		perror ("opendir /proc");
+@@ -196,7 +203,7 @@
+ 			continue;
+ 		}
+ 
+-		if (check_status (tmp_d_name, uid) != 0) {
++		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+@@ -216,7 +223,7 @@
+ 				if (tid == pid) {
+ 					continue;
+ 				}
+-				if (check_status (task_path+6, uid) != 0) {
++				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+@@ -231,6 +238,7 @@
+ 	}
+ 
+ 	(void) closedir (proc);
++	sub_uid_close();
+ 	return 0;
+ }
+ #endif				/* __linux__ */

debian/patches/userns/09_userns_usermod

@@ -0,0 +1,536 @@
+From ebiederm@xmission.com  Tue Jan 22 09:20:27 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 8625BC80F4; Tue, 22 Jan 2013 09:20:27 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 69CACC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:20:23 +0000 (UTC)
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa08-0000JL-Uo; Tue, 22 Jan 2013 02:18:41 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzw-0004wm-8g; Tue, 22 Jan 2013 02:18:40 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:18:24 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87sj5tpodb.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/EkNiL4owL54HOscHbdbK8RucFTofOBo8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 09/11] usermod: Add support for subordinate uids and gids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2079                                        
+Status: O
+Content-Length: 15455
+Lines: 491
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/usermod.8.xml |   80 +++++++++++++++++
+ src/usermod.c     |  255 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 332 insertions(+), 3 deletions(-)
+
+Index: shadow/man/usermod.8.xml
+===================================================================
+--- shadow.orig/man/usermod.8.xml	2013-02-01 15:27:53.240080352 -0600
++++ shadow/man/usermod.8.xml	2013-02-01 15:27:53.232080353 -0600
+@@ -391,6 +391,86 @@
+       </varlistentry>
+       <varlistentry>
+ 	<term>
++	  <option>-v</option>, <option>--add-sub-uids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Add a range of subordinate uids to the users account. 
++	  </para>
++	  <para>
++	    This option may be specified multiple times to add multiple ranges to a users account.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_UID_MIN</option>, <option>SUB_UID_MAX</option>, or
++	     <option>SUB_UID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-V</option>, <option>--del-sub-uids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Remove a range of subordinate uids from the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to remove multiple ranges to a users account.
++	    When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified
++	    remove of all subordinate uid ranges happens before any subordinate uid ranges are added.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_UID_MIN</option>, <option>SUB_UID_MAX</option>, or
++	     <option>SUB_UID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-w</option>, <option>--add-sub-gids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Add a range of subordinate gids to the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to add multiple ranges to a users account.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_GID_MIN</option>, <option>SUB_GID_MAX</option>, or
++	     <option>SUB_GID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-W</option>, <option>--del-sub-gids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Remove a range of subordinate gids from the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to remove multiple ranges to a users account.
++	    When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified
++	    remove of all subordinate gid ranges happens before any subordinate gid ranges are added.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_GID_MIN</option>, <option>SUB_GID_MAX</option>, or
++	     <option>SUB_GID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
+ 	  <option>-Z</option>, <option>--selinux-user</option>
+ 	  <replaceable>SEUSER</replaceable>
+ 	</term>
+Index: shadow/src/usermod.c
+===================================================================
+--- shadow.orig/src/usermod.c	2013-02-01 15:27:53.240080352 -0600
++++ shadow/src/usermod.c	2013-02-01 15:27:53.236080353 -0600
+@@ -63,6 +63,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif
+@@ -86,6 +87,8 @@
+ /* #define E_NOSPACE	11	   insufficient space to move home dir */
+ #define E_HOMEDIR	12	/* unable to complete home dir move */
+ #define E_SE_UPDATE	13	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ /*
+  * Global variables
+@@ -133,7 +136,11 @@
+     Zflg = false,		/* new selinux user */
+ #endif
+     uflg = false,		/* specify new user ID */
+-    Uflg = false;		/* unlock the password */
++    Uflg = false,		/* unlock the password */
++    vflg = false,		/*    add subordinate uids */
++    Vflg = false,		/* delete subordinate uids */
++    wflg = false,		/*    add subordinate gids */
++    Wflg = false;		/* delete subordinate gids */
+ 
+ static bool is_shadow_pwd;
+ 
+@@ -141,12 +148,17 @@
+ static bool is_shadow_grp;
+ #endif
+ 
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
++
+ static bool pw_locked  = false;
+ static bool spw_locked = false;
+ static bool gr_locked  = false;
+ #ifdef SHADOWGRP
+ static bool sgr_locked = false;
+ #endif
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ 
+ /* local function prototypes */
+@@ -302,6 +314,69 @@
+ 	return 0;
+ }
+ 
++struct ulong_range
++{
++	unsigned long first;
++	unsigned long last;
++};
++
++static struct ulong_range getulong_range(const char *str)
++{
++	struct ulong_range result = { .first = ULONG_MAX, .last = 0 };
++	unsigned long long first, last;
++	char *pos;
++
++	errno = 0;
++	first = strtoll(str, &pos, 10);
++	if (('\0' == *str) || ('-' != *pos ) || (ERANGE == errno) ||
++	    (first != (unsigned long int)first))
++		goto out;
++
++	errno = 0;
++	last = strtoul(pos + 1, &pos, 10);
++	if (('\0' != *pos ) || (ERANGE == errno) ||
++	    (last != (unsigned long int)last))
++		goto out;
++
++	if (first > last)
++		goto out;
++
++	result.first = (unsigned long int)first;
++	result.last = (unsigned long int)last;
++out:
++	return result;
++	
++}
++
++struct ulong_range_list_entry {
++	struct ulong_range_list_entry *next;
++	struct ulong_range range;
++};
++
++static struct ulong_range_list_entry *add_sub_uids = NULL, *del_sub_uids = NULL;
++static struct ulong_range_list_entry *add_sub_gids = NULL, *del_sub_gids = NULL;
++
++static int prepend_range(const char *str, struct ulong_range_list_entry **head)
++{
++	struct ulong_range range;
++	struct ulong_range_list_entry *entry;
++	range = getulong_range(str);
++	if (range.first > range.last)
++		return 0;
++
++	entry = malloc(sizeof(*entry));
++	if (!entry) {
++		fprintf (stderr,
++			_("%s: failed to allocate memory: %s\n"),
++			Prog, strerror (errno));
++		return 0;
++	}
++	entry->next = *head;
++	entry->range = range;
++	*head = entry;
++	return 1;
++}
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -334,6 +409,10 @@
+ 	(void) fputs (_("  -s, --shell SHELL             new login shell for the user account\n"), usageout);
+ 	(void) fputs (_("  -u, --uid UID                 new UID for the user account\n"), usageout);
+ 	(void) fputs (_("  -U, --unlock                  unlock the user account\n"), usageout);
++	(void) fputs (_("  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"), usageout);
++	(void) fputs (_("  -V, --del-subuids FIRST-LAST  remvoe range of subordinate uids\n"), usageout);
++	(void) fputs (_("  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"), usageout);
++	(void) fputs (_("  -W, --del-subgids FIRST-LAST  remvoe range of subordinate gids\n"), usageout);
+ #ifdef WITH_SELINUX
+ 	(void) fputs (_("  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account\n"), usageout);
+ #endif				/* WITH_SELINUX */
+@@ -590,6 +669,20 @@
+ 			/* continue */
+ 		}
+ 	}
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+@@ -889,6 +982,10 @@
+ 			{"shell",        required_argument, NULL, 's'},
+ 			{"uid",          required_argument, NULL, 'u'},
+ 			{"unlock",       no_argument,       NULL, 'U'},
++			{"add-subuids",  required_argument, NULL, 'v'},
++			{"del-subuids",  required_argument, NULL, 'V'},
++ 			{"add-subgids",  required_argument, NULL, 'w'},
++ 			{"del-subgids",  required_argument, NULL, 'W'},
+ #ifdef WITH_SELINUX
+ 			{"selinux-user", required_argument, NULL, 'Z'},
+ #endif				/* WITH_SELINUX */
+@@ -1018,6 +1115,41 @@
+ 			case 'U':
+ 				Uflg = true;
+ 				break;
++			case 'v':
++				if (prepend_range (optarg, &add_sub_uids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate uid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				vflg = true;
++				break;
++			case 'V':
++				if (prepend_range (optarg, &del_sub_uids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate uid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				Vflg = true;
++				break;
++			case 'w':
++				if (prepend_range (optarg, &add_sub_gids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate gid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				wflg = true;
++			case 'W':
++				if (prepend_range (optarg, &del_sub_gids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate gid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				Wflg = true;
++				break;
+ #ifdef WITH_SELINUX
+ 			case 'Z':
+ 				if (is_selinux_enabled () > 0) {
+@@ -1170,6 +1302,7 @@
+ 
+ 	if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
+ 	      lflg || Gflg || gflg || fflg || eflg || dflg || cflg
++	      || vflg || Vflg || wflg || Wflg
+ #ifdef WITH_SELINUX
+ 	      || Zflg
+ #endif				/* WITH_SELINUX */
+@@ -1200,6 +1333,7 @@
+ 		         Prog, (unsigned long) user_newid);
+ 		exit (E_UID_IN_USE);
+ 	}
++
+ }
+ 
+ /*
+@@ -1248,6 +1382,10 @@
+ 				         sgr_dbname ()));
+ 				fail_exit (E_GRP_UPDATE);
+ 			}
++		}
++#endif
++#ifdef SHADOWGRP
++		if (is_shadow_grp) {
+ 			if (sgr_unlock () == 0) {
+ 				fprintf (stderr,
+ 				         _("%s: failed to unlock %s\n"),
+@@ -1296,6 +1434,33 @@
+ 	sgr_locked = false;
+ #endif
+ 
++	if (vflg || Vflg) {
++		if (!is_sub_uid || (sub_uid_close () == 0)) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		if (!is_sub_uid || (sub_uid_unlock () == 0)) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (wflg || Wflg) {
++		if (!is_sub_gid || (sub_gid_close () == 0)) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		if (!is_sub_gid || (sub_gid_unlock () == 0)) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
++
+ 	/*
+ 	 * Close the DBM and/or flat files
+ 	 */
+@@ -1375,6 +1540,36 @@
+ 		}
+ #endif
+ 	}
++	if (vflg || Vflg) {
++		if (!is_sub_uid || (sub_uid_lock () == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (!is_sub_uid || (sub_uid_open (O_RDWR) == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (wflg || Wflg) {
++		if (!is_sub_gid || (sub_gid_lock () == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (!is_sub_gid || (sub_gid_open (O_RDWR) == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ /*
+@@ -1476,6 +1671,58 @@
+ 			fail_exit (E_PW_UPDATE);
+ 		}
+ 	}
++	if (Vflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_uid_remove(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to remove uid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_uid_dbname ());
++				fail_exit (E_SUB_UID_UPDATE);
++			}
++		}
++	}
++	if (vflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = add_sub_uids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_uid_add(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to add uid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_uid_dbname ());
++				fail_exit (E_SUB_UID_UPDATE);
++			}
++		}
++	}
++	if (Wflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = del_sub_gids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_gid_remove(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to remove gid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_gid_dbname ());
++				fail_exit (E_SUB_GID_UPDATE);
++			}
++		}
++	}
++	if (wflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = add_sub_gids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_gid_add(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to add gid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_gid_dbname ());
++				fail_exit (E_SUB_GID_UPDATE);
++			}
++		}
++	}
+ }
+ 
+ /*
+@@ -1811,6 +2058,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	process_flags (argc, argv);
+ 
+@@ -1818,7 +2067,7 @@
+ 	 * The home directory, the username and the user's UID should not
+ 	 * be changed while the user is logged in.
+ 	 */
+-	if (   (uflg || lflg || dflg)
++	if (   (uflg || lflg || dflg || Vflg || Wflg)
+ 	    && (user_busy (user_name, user_id) != 0)) {
+ 		exit (E_USER_BUSY);
+ 	}
+@@ -1871,7 +2120,7 @@
+ 	 */
+ 	open_files ();
+ 	if (   cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
+-	    || sflg || uflg || Uflg) {
++	    || sflg || uflg || Uflg || vflg || Vflg || wflg || Wflg) {
+ 		usr_update ();
+ 	}
+ 	if (Gflg || lflg) {

debian/patches/userns/10_userns_newusers

@@ -0,0 +1,256 @@
+From ebiederm@xmission.com  Tue Jan 22 09:21:21 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id ADE59C80F5; Tue, 22 Jan 2013 09:21:21 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=-2.2 required=8.0 tests=BAD_ENC_HEADER,BAYES_00,
+	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id D56AEC80DB
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:21:17 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa11-0000bo-MQ; Tue, 22 Jan 2013 02:19:35 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa11-0005wx-1p; Tue, 22 Jan 2013 02:19:35 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa0y-000519-2O; Tue, 22 Jan 2013 02:19:34 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:19:28 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87k3r5pobj.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1+qhualZ5pxk+DVqanIJA7JrJwlPXicL8c=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 10/11] newusers: Add support for assiging subordinate uids and gids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2080                                        
+Status: O
+Content-Length: 5597
+Lines: 206
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/newusers.c |  124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 124 insertions(+), 0 deletions(-)
+
+Index: shadow/src/newusers.c
+===================================================================
+--- shadow.orig/src/newusers.c	2013-02-01 15:27:53.548080347 -0600
++++ shadow/src/newusers.c	2013-02-01 15:27:53.540080347 -0600
+@@ -65,6 +65,7 @@
+ #include "pwio.h"
+ #include "sgroupio.h"
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #include "chkname.h"
+ 
+ /*
+@@ -82,6 +83,8 @@
+ #endif				/* USE_SHA_CRYPT */
+ #endif				/* !USE_PAM */
+ 
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
+ static bool is_shadow;
+ #ifdef SHADOWGRP
+ static bool is_shadow_grp;
+@@ -90,6 +93,8 @@
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+ static bool spw_locked = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ /* local function prototypes */
+ static void usage (int status);
+@@ -178,6 +183,20 @@
+ 		}
+ 	}
+ #endif
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ 	exit (code);
+ }
+@@ -732,6 +751,24 @@
+ 		sgr_locked = true;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++		sub_uid_locked = true;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++		sub_gid_locked = true;
++	}
+ 
+ 	if (pw_open (O_RDWR) == 0) {
+ 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
+@@ -751,6 +788,22 @@
+ 		fail_exit (EXIT_FAILURE);
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++	}
+ }
+ 
+ /*
+@@ -795,6 +848,19 @@
+ 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+ 		fail_exit (EXIT_FAILURE);
+ 	}
++	if (is_sub_uid  && (sub_uid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++		fail_exit (EXIT_FAILURE);
++	}
++	if (is_sub_gid  && (sub_gid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++		fail_exit (EXIT_FAILURE);
++	}
++
+ 	if (gr_unlock () == 0) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to unlock %s\n"),
+@@ -823,6 +889,22 @@
+ 		sgr_locked = false;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ int main (int argc, char **argv)
+@@ -864,6 +946,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	open_files ();
+ 
+@@ -1044,6 +1128,46 @@
+ 			errors++;
+ 			continue;
+ 		}
++
++		/*
++		 * Add subordinate uids if the user does not have them.
++		 */
++		if (is_sub_uid && !sub_uid_assigned(fields[0])) {
++			uid_t sub_uid_start = 0;
++			unsigned long sub_uid_count = 0;
++			if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
++				if (sub_uid_add(fields[0], sub_uid_start, sub_uid_count) == 0) {
++					fprintf (stderr,
++						_("%s: failed to prepare new %s entry\n"),
++						Prog, sub_uid_dbname ());
++				}
++			} else {
++				fprintf (stderr,
++					_("%s: can't find subordinate user range\n"),
++					Prog);
++				errors++;
++			}
++		}
++	
++		/*
++		 * Add subordinate gids if the user does not have them.
++		 */
++		if (is_sub_gid && !sub_gid_assigned(fields[0])) {
++			gid_t sub_gid_start = 0;
++			unsigned long sub_gid_count = 0;
++			if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {
++				if (sub_gid_add(fields[0], sub_gid_start, sub_gid_count) == 0) {
++					fprintf (stderr,
++						_("%s: failed to prepare new %s entry\n"),
++						Prog, sub_uid_dbname ());
++				}
++			} else {
++				fprintf (stderr,
++					_("%s: can't find subordinate group range\n"),
++					Prog);
++				errors++;
++			}
++		}
+ 	}
+ 
+ 	/*

debian/patches/userns/12_userns_selinuxlibs

@@ -0,0 +1,13 @@
+Index: shadow-4.1.5.1/src/Makefile.am
+===================================================================
+--- shadow-4.1.5.1.orig/src/Makefile.am	2013-02-04 11:56:40.485335430 -0600
++++ shadow-4.1.5.1/src/Makefile.am	2013-02-04 11:57:49.525334261 -0600
+@@ -80,6 +80,8 @@
+ endif
+ 
+ chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
++newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)

debian/patches/userns/13_subordinate_parse_static_buf

@@ -0,0 +1,23 @@
+Description: subordinateio: Fix subordinate_parse to have an internal static buffer
+ subordinate_parse is supposed to return a static structure that
+ represents one line in /etc/subuid or /etc/subgid.  I goofed and
+ failed to make the variable rangebuf that holds the username of
+ in the returned structure static.
+ .
+ Add this missing static specification.
+Author: <Eric W. Biederman" <ebiederm@xmission.com>
+Origin: upstream
+Forwarded: no
+Index: shadow-4.1.5.1/lib/subordinateio.c
+===================================================================
+--- shadow-4.1.5.1.orig/lib/subordinateio.c	2013-02-04 11:56:40.265335433 -0600
++++ shadow-4.1.5.1/lib/subordinateio.c	2013-02-04 12:32:46.653298752 -0600
+@@ -48,7 +48,7 @@
+ static void *subordinate_parse (const char *line)
+ {
+ 	static struct subordinate_range range;
+-	char rangebuf[1024];
++	static char rangebuf[1024];
+ 	int i;
+ 	char *cp;
+ 	char *fields[NFIELDS];

debian/patches/userns/14_fix_getopt

@@ -0,0 +1,24 @@
+Index: shadow-userns/src/usermod.c
+===================================================================
+--- shadow-userns.orig/src/usermod.c	2013-02-05 16:35:10.608485591 +0000
++++ shadow-userns/src/usermod.c	2013-02-05 17:16:20.540485591 +0000
+@@ -993,9 +993,9 @@
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:",
++			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:v:w:V:W:",
+ #else				/* !WITH_SELINUX */
+-			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:U",
++			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:Uv:w:V:W:",
+ #endif				/* !WITH_SELINUX */
+ 			                 long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1141,6 +1141,7 @@
+ 					exit(E_BAD_ARG);
+ 				}
+ 				wflg = true;
++                break;
+ 			case 'W':
+ 				if (prepend_range (optarg, &del_sub_gids) == 0) {
+ 					fprintf (stderr,

debian/patches/userns/16_add-argument-sanity-checking.patch

@@ -0,0 +1,80 @@
+From df3c8c1f7f47ceff607595067458f1d8e53eaab8 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge.hallyn@ubuntu.com>
+Date: Fri, 21 Jun 2013 11:47:36 -0500
+Subject: [PATCH 1/1] userns: add argument sanity checking
+
+In find_new_sub_{u,g}ids, check for min, count and max values.
+
+In idmapping.c:get_map_ranges(), make sure that the value passed
+in for ranges did not overflow.  Couldn't happen with the current
+code, but this is a sanity check for any future potential mis-uses.
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+---
+ libmisc/find_new_sub_gids.c |  8 ++++++++
+ libmisc/find_new_sub_uids.c |  8 ++++++++
+ libmisc/idmapping.c         | 10 ++++++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/libmisc/find_new_sub_gids.c b/libmisc/find_new_sub_gids.c
+index 68046ac..fd44978 100644
+--- a/libmisc/find_new_sub_gids.c
++++ b/libmisc/find_new_sub_gids.c
+@@ -58,6 +58,14 @@ int find_new_sub_gids (const char *owner,
+ 	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
+ 	count = getdef_ulong ("SUB_GID_COUNT", 10000);
+ 
++	if (min >= max || count >= max || (min + count) >= max) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_GID_MIN (%lu),"
++				  " SUB_GID_MAX (%lu), SUB_GID_COUNT (%lu)\n"),
++			Prog, min, max, count);
++		return -1;
++	}
++
+ 	/* Is there a preferred range that works? */
+ 	if ((*range_count != 0) &&
+ 	    (*range_start >= min) &&
+diff --git a/libmisc/find_new_sub_uids.c b/libmisc/find_new_sub_uids.c
+index f1720f9..b608c59 100644
+--- a/libmisc/find_new_sub_uids.c
++++ b/libmisc/find_new_sub_uids.c
+@@ -58,6 +58,14 @@ int find_new_sub_uids (const char *owner,
+ 	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
+ 	count = getdef_ulong ("SUB_UID_COUNT", 10000);
+ 
++	if (min >= max || count >= max || (min + count) >= max) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_UID_MIN (%lu),"
++				  " SUB_UID_MAX (%lu), SUB_UID_COUNT (%lu)\n"),
++			Prog, min, max, count);
++		return -1;
++	}
++
+ 	/* Is there a preferred range that works? */
+ 	if ((*range_count != 0) &&
+ 	    (*range_start >= min) &&
+diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
+index cb9e898..4147796 100644
+--- a/libmisc/idmapping.c
++++ b/libmisc/idmapping.c
+@@ -41,6 +41,16 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
+ 	struct map_range *mappings, *mapping;
+ 	int idx, argidx;
+ 
++	if (ranges < 0 || argc < 0) {
++		fprintf(stderr, "%s: error calculating number of arguments\n", Prog);
++		return NULL;
++	}
++
++	if (ranges != ((argc - 2) + 2) / 3) {
++		fprintf(stderr, "%s: ranges: %u is wrong for argc: %d\n", Prog, ranges, argc);
++		return NULL;
++	}
++
+ 	if ((ranges * 3) > argc) {
+ 		fprintf(stderr, "ranges: %u argc: %d\n",
+ 			ranges, argc);
+-- 
+1.8.1.2
+

debian/patches/userns/manpagetypo

@@ -0,0 +1,26 @@
+Index: shadow/man/subgid.5.xml
+===================================================================
+--- shadow.orig/man/subgid.5.xml	2013-03-06 15:19:23.848386200 -0600
++++ shadow/man/subgid.5.xml	2013-03-06 15:19:51.240386816 -0600
+@@ -104,7 +104,7 @@
+ 	<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+-	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+Index: shadow/man/subuid.5.xml
+===================================================================
+--- shadow.orig/man/subuid.5.xml	2013-03-06 15:19:09.660385881 -0600
++++ shadow/man/subuid.5.xml	2013-03-06 15:19:44.956386675 -0600
+@@ -104,7 +104,7 @@
+ 	<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+-	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>