Hmm, no discussion about this one. Is pam_namespace
maintainer here?
Jan Kasprzak wrote:
: I propose that the namespace.conf syntax should be changed
: - the <prefix> parameter should be changed to contain the whole
: directory name (not only a prefix), and another variables (besides
: $USER and $HOME) should be implemented (such as $CONTEXT, $CONTEXT_MD5
: and $LEVEL). This way user will be able to specify the security context
: to be added even somewhere else than the end of the directory name, etc.
:
: Maybe for backward compatibility we can add it as another
: polyinstantiation method - say - "static", indicating that the directory
: name should be constructed from the second parameter as a whole, not as
: a prefix.
I have found that this part (a new method which does not add anything
to the <prefix> path and relies solely on the $USER and $HOME variable
expansion, is pretty straightforward. Patch attached, please review and
consider including in further releases.
Thanks,
-Yenya
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.static 2007-09-26 15:27:36.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-09-26 15:33:30.000000000 +0200
@@ -266,6 +266,9 @@
#endif
+ if (strcmp(method, "static") == 0)
+ poly.method = STATIC;
+
if ( poly.method == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
goto skipping;
@@ -603,6 +606,10 @@
goto fail;
}
break;
+ case STATIC:
+ if ((*i_name = strdup("")) == NULL)
+ goto fail;
+ break;
#ifdef WITH_SELINUX
case LEVEL:
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml.static 2007-09-26 16:45:40.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml 2007-09-26 16:51:41.000000000 +0200
@@ -71,10 +71,13 @@
<para>
The third field, <replaceable>method</replaceable>, is the method
- used for polyinstantiation. It can take 3 different values; "user"
+ used for polyinstantiation. It can take 4 different values; "user"
for polyinstantiation based on user name, "level" for
- polyinstantiation based on process MLS level and user name, and "context" for
- polyinstantiation based on process security context and user name
+ polyinstantiation based on process MLS level and user name, "context" for
+ polyinstantiation based on process security context and user name,
+ and "static" which uses the <instance_prefix> without adding
+ anything to it - this method relies solely on the $HOME and $USER
+ variables expansion.
Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</para>
@@ -124,6 +127,7 @@
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
+ /myapp $HOME/myapp static root
</literallayout>
<para>
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
> So at least in some cases, I think we should "default to stupid, <
> but give users rope". --Linus Torvalds <
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
