In Incus, we need to rely on `translate-uid` and `translate-gid` to restrict exactly what UID/GID may be used by the guest. This is security critical on our end as this not working correctly may lead to an untrusted user on the machine being able to use a VM with a shared path to gain full root privileges on the host. Here is my initial approach when trying to provide an environment in which only uid/gid 1000 and 2000 were allowed: ``` --translate-gid=forbid-guest:0:999 --translate-gid=map:1000:1000:1 --translate-gid=forbid-guest:1001:1999 --translate-gid=map:2000:2000:1 --translate-gid=forbid-guest:2001:4294967295 --translate-uid=forbid-guest:0:999 --translate-uid=map:1000:1000:1 --translate-uid=forbid-guest:1001:1999 --translate-uid=map:2000:2000:1 --translate-uid=forbid-guest:2001:4294967295 ``` While this seems to line up with the description in the help, this failed with: ``` [2025-02-25T19:46:05Z ERROR virtiofsd] Failed to create internal filesystem representation: UID map: forbid-guest:1001:1999: Guest-to-host mapping 'fail [1001, 3000)' intersects previously added entry ``` Instead, I had to use this one to get it to work: ``` --translate-gid=forbid-guest:0:1000 --translate-gid=map:1000:1000:1 --translate-gid=forbid-guest:1001:999 --translate-gid=map:2000:2000:1 --translate-gid=forbid-guest:2001:4294965294 --translate-uid=forbid-guest:0:1000 --translate-uid=map:1000:1000:1 --translate-uid=forbid-guest:1001:999 --translate-uid=map:2000:2000:1 --translate-uid=forbid-guest:2001:4294965294 ``` Basically what seems to be going on is that the second argument of `forbid-guest` is a count, not the end of a range. That's despite the help saying: ``` - 'forbid-guest': Forbid guest UIDs in the given range: Return an error to the guest whenever it tries to create a file with such a UID or make a file have such a UID ``` `range` here along with the fact that `forbid-guest` only takes two arguments rather than 3 would strongly suggest that it takes a start and end. When in fact it's taking a start and count. Anyway, I think the fix for this is likely just a small change to the help message to make it clear that `forbid-guest` takes two values, not three like the rest of them and that the syntax is therefore `forbid-guest:<base>:<count>`. Fixing this should also avoid anyone else deciding to "fix" things by aligning the implementation of `forbid-guest` with its current help message as changing it to actually do `forbid-guest:<start>:<end>` would instantly cause a severe security issue for anyone using it the same way we are in Incus.