suggestion: decouple unshare from mounting in pam_namespace
Tomas Mraz
tmraz at redhat.com
Fri May 23 17:28:25 UTC 2008
On Fri, 2008-05-23 at 10:24 -0400, Louis-Dominique Dubeau wrote:
> Hello everyone,
>
> I'm writing from the perspective of someone using Ubuntu 8.04. The
> version of pam installed on my machine is 0.99.7.1-5ubuntu6.1. However,
> based on inspecting the latest version of pam, I believe what I'm
> talking about applies to pam in general and not just the version shipped
> with Ubuntu 8.04.
>
> I have a suggestion for a change to pam_namespace. As it is currently
> coded, pam_namespace will make a call to unshare if and only if there
> are mounts declared in /etc/security/namespace.conf and those mounts
> apply to the session being established. When pam_namespace determines
> that it must perform a mount operation, it performs two tasks:
>
> 1. It makes a call to the unshare syscall to unshare filesystem
> namespaces.
>
> 2. It performs the mounts as specified in /etc/security/namespace.conf.
>
> I'm operating in a scenario where I do *not* want pam_namespace to
> perform automatic mounts for me but I *do* want the filesystem
> namespaces to be unshared. (I.e. I want 1 above but I don't want 2.)
>
> Yesterday, I quickly hacked something to get what I want. I've added a
> parameter "unshare" to pam_namespace which basically means "unshare the
> namespaces no matter what". I'm attaching a patch against the version
> of pam mentioned above. This is for *illustrative* purposes only. I'm
> not pretending that this is the way a final solution should be
> implemented.
>
> Can this be implemented in some form?
It makes sense somewhat. But with the KISS principle in mind - when you
want just the unshare, why not create a new module called pam_unshare,
which would just call unshare and not do anything else? I think we could
accept such module into Linux-PAM.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list