Hello everyone,
I'm writing from the perspective of someone using Ubuntu 8.04. The
version of pam installed on my machine is 0.99.7.1-5ubuntu6.1. However,
based on inspecting the latest version of pam, I believe what I'm
talking about applies to pam in general and not just the version shipped
with Ubuntu 8.04.
I have a suggestion for a change to pam_namespace. As it is currently
coded, pam_namespace will make a call to unshare if and only if there
are mounts declared in /etc/security/namespace.conf and those mounts
apply to the session being established. When pam_namespace determines
that it must perform a mount operation, it performs two tasks:
1. It makes a call to the unshare syscall to unshare filesystem
namespaces.
2. It performs the mounts as specified in /etc/security/namespace.conf.
I'm operating in a scenario where I do *not* want pam_namespace to
perform automatic mounts for me but I *do* want the filesystem
namespaces to be unshared. (I.e. I want 1 above but I don't want 2.)
Yesterday, I quickly hacked something to get what I want. I've added a
parameter "unshare" to pam_namespace which basically means "unshare the
namespaces no matter what". I'm attaching a patch against the version
of pam mentioned above. This is for *illustrative* purposes only. I'm
not pretending that this is the way a final solution should be
implemented.
Can this be implemented in some form?
Thanks,
Louis
diff -urN pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.c pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.c
--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.c 2006-10-24 07:45:36.000000000 -0400
+++ pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.c 2008-05-22 19:44:42.000000000 -0400
@@ -998,7 +998,8 @@
* disassociate from the parent namespace.
*/
if (need_poly) {
- if (unshare(CLONE_NEWNS) < 0) {
+ /* But don't call if PAMNS_UNSHARE is set: we've already called. */
+ if (!(idata->flags & PAMNS_UNSHARE) & (unshare(CLONE_NEWNS) < 0)) {
pam_syslog(idata->pamh, LOG_ERR,
"Unable to unshare from parent namespace, %m");
return PAM_SESSION_ERR;
@@ -1172,6 +1173,8 @@
idata.flags |= PAMNS_IGN_CONFIG_ERR;
if (strcmp(argv[i], "ignore_instance_parent_mode") == 0)
idata.flags |= PAMNS_IGN_INST_PARENT_MODE;
+ if (strcmp(argv[i], "unshare") == 0)
+ idata.flags |= PAMNS_UNSHARE;
if (strcmp(argv[i], "unmnt_remnt") == 0)
unmnt = UNMNT_REMNT;
if (strcmp(argv[i], "unmnt_only") == 0)
@@ -1220,6 +1223,19 @@
return PAM_SESSION_ERR;
}
+
+ /*
+ * If polyinstnatiation is needed, call the unshare system call to
+ * disassociate from the parent namespace.
+ */
+ if (idata.flags & PAMNS_UNSHARE) {
+ if (unshare(CLONE_NEWNS) < 0) {
+ pam_syslog(idata.pamh, LOG_ERR,
+ "Unable to unshare from parent namespace, %m");
+ return PAM_SESSION_ERR;
+ }
+ }
+
if (idata.polydirs_ptr) {
retval = setup_namespace(&idata, unmnt);
if (idata.flags & PAMNS_DEBUG) {
diff -urN pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.h pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.h
--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.h 2006-07-28 07:59:28.000000000 -0400
+++ pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.h 2008-05-22 19:37:04.000000000 -0400
@@ -86,6 +86,7 @@
#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
+#define PAMNS_UNSHARE 0x00010000 /* Ignore instance parent mode */
/*
* Polyinstantiation method options, based on user, security context
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
