[patch] New method "static" for pam_namespace
Jan Kasprzak
kas at fi.muni.cz
Wed Sep 26 15:19:09 UTC 2007
Jan Kasprzak wrote:
: I have found that this part (a new method which does not add anything
: to the <prefix> path and relies solely on the $USER and $HOME variable
: expansion, is pretty straightforward. Patch attached, please review and
: consider including in further releases.
Oops, forgot to include the pam_namespace.h part of the patch.
New patch attached:
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.static 2007-09-26 15:27:36.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-09-26 15:33:30.000000000 +0200
@@ -266,6 +266,9 @@
#endif
+ if (strcmp(method, "static") == 0)
+ poly.method = STATIC;
+
if ( poly.method == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
goto skipping;
@@ -603,6 +606,10 @@
goto fail;
}
break;
+ case STATIC:
+ if ((*i_name = strdup("")) == NULL)
+ goto fail;
+ break;
#ifdef WITH_SELINUX
case LEVEL:
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h.static 2007-09-26 17:17:14.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h 2007-09-26 15:30:12.000000000 +0200
@@ -100,6 +100,7 @@
USER,
CONTEXT,
LEVEL,
+ STATIC,
};
/*
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml.static 2007-09-26 16:45:40.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.conf.5.xml 2007-09-26 17:18:21.000000000 +0200
@@ -71,10 +71,13 @@
<para>
The third field, <replaceable>method</replaceable>, is the method
- used for polyinstantiation. It can take 3 different values; "user"
+ used for polyinstantiation. It can take 4 different values; "user"
for polyinstantiation based on user name, "level" for
- polyinstantiation based on process MLS level and user name, and "context" for
- polyinstantiation based on process security context and user name
+ polyinstantiation based on process MLS level and user name, "context" for
+ polyinstantiation based on process security context and user name,
+ and "static" which uses the <instance_prefix> without adding
+ anything to it - this method relies solely on the $HOME and $USER
+ variables expansion.
Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</para>
@@ -124,6 +127,7 @@
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
+ /myapp $HOME/myapp static root
</literallayout>
<para>
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
> So at least in some cases, I think we should "default to stupid, <
> but give users rope". --Linus Torvalds <
More information about the Pam-list
mailing list