SUBGID(5) File Formats and Configuration SUBGID(5)

subgid - the configuration for subordinate group ids

Subgid authorizes a group id to map ranges of group ids from its namespace into child namespaces.

The delegation of the subordinate gids can be configured via the subid field in /etc/nsswitch.conf file. Only one value can be set as the delegation source. Setting this field to files configures the delegation of gids to /etc/subgid. Setting any other value treats the delegation as a plugin following with a name of the form libsubid_$value.so. If the value or plugin is missing, then the subordinate gid delegation falls back to files.

Note, that groupadd will only create entries in /etc/subgid if subid delegation is managed via subid files.

Each line in /etc/subgid contains a user name and a range of subordinate group ids that user is allowed to use. This is specified with three fields delimited by colons (“:”). These fields are:

•login name or UID
•numerical subordinate group ID
•numerical subordinate group ID count

This file specifies the group IDs that ordinary users can use, with the newgidmap command, to configure gid mapping in a user namespace.

Multiple ranges may be specified per user.

When large number of entries (10000-100000 or more) are defined in /etc/subgid, parsing performance penalty will become noticeable. In this case it is recommended to use UIDs instead of login names. Benchmarks have shown speed-ups up to 20x.

/etc/subgid

Per user subordinate group IDs.

/etc/subgid-

Backup file for /etc/subgid.

login.defs(5), newgidmap(1), newuidmap(1), newusers(8), subuid(5), useradd(8), userdel(8), usermod(8), user_namespaces(7).

01/02/2022 shadow-utils 4.11.1