[patch] New method "static" for pam_namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



	Hmm, no discussion about this one. Is pam_namespace
maintainer here?

Jan Kasprzak wrote:
: 	I propose that the namespace.conf syntax should be changed
: - the <prefix> parameter should be changed to contain the whole
: directory name (not only a prefix), and another variables (besides
: $USER and $HOME) should be implemented (such as $CONTEXT, $CONTEXT_MD5
: and $LEVEL). This way user will be able to specify the security context
: to be added even somewhere else than the end of the directory name, etc.
: 
: 	Maybe for backward compatibility we can add it as another
: polyinstantiation method - say - "static", indicating that the directory
: name should be constructed from the second parameter as a whole, not as
: a prefix.

	I have found that this part (a new method which does not add anything
to the <prefix> path and relies solely on the $USER and $HOME variable
expansion, is pretty straightforward. Patch attached, please review and
consider including in further releases.

	Thanks,

-Yenya

--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.static	2007-09-26 15:27:36.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c	2007-09-26 15:33:30.000000000 +0200
@@ -266,6 +266,9 @@
 
 #endif
 
+    if (strcmp(method, "static") == 0)
+	poly.method = STATIC;
+
     if ( poly.method == NONE) {
         pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
         goto skipping;
@@ -603,6 +606,10 @@
 		goto fail;
 	    }	    
     	    break;
+        case STATIC:
+	    if ((*i_name = strdup("")) == NULL)
+		goto fail;
+	    break;
 
 #ifdef WITH_SELINUX
     	case LEVEL:
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml.static	2007-09-26 16:45:40.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml	2007-09-26 16:51:41.000000000 +0200
@@ -71,10 +71,13 @@
 
     <para>
       The third field, <replaceable>method</replaceable>, is the method
-      used for polyinstantiation. It can take 3 different values; "user"
+      used for polyinstantiation. It can take 4 different values; "user"
       for polyinstantiation based on user name, "level" for 
-      polyinstantiation based on process MLS level and user name, and "context" for
-      polyinstantiation based on process security context and user name
+      polyinstantiation based on process MLS level and user name, "context" for
+      polyinstantiation based on process security context and user name,
+      and "static" which uses the &lt;instance_prefix&gt; without adding
+      anything to it - this method relies solely on the $HOME and $USER
+      variables expansion.
       Methods "context" and "level" are only available with SELinux. This
       field cannot be blank.
     </para>
@@ -124,6 +127,7 @@
       /tmp     /tmp-inst/               level      root,adm
       /var/tmp /var/tmp/tmp-inst/   	level      root,adm
       $HOME    $HOME/$USER.inst/inst- context
+      /myapp   $HOME/myapp              static     root
     </literallayout>
 
     <para>

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>     So at least in some cases, I think we should "default to stupid,     <
>     but give users rope".                           --Linus Torvalds     <

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux