suggestion: decouple unshare from mounting in pam_namespace
Louis-Dominique Dubeau
ldd at lddubeau.com
Fri May 23 14:24:40 UTC 2008
Hello everyone,
I'm writing from the perspective of someone using Ubuntu 8.04. The
version of pam installed on my machine is 0.99.7.1-5ubuntu6.1. However,
based on inspecting the latest version of pam, I believe what I'm
talking about applies to pam in general and not just the version shipped
with Ubuntu 8.04.
I have a suggestion for a change to pam_namespace. As it is currently
coded, pam_namespace will make a call to unshare if and only if there
are mounts declared in /etc/security/namespace.conf and those mounts
apply to the session being established. When pam_namespace determines
that it must perform a mount operation, it performs two tasks:
1. It makes a call to the unshare syscall to unshare filesystem
namespaces.
2. It performs the mounts as specified in /etc/security/namespace.conf.
I'm operating in a scenario where I do *not* want pam_namespace to
perform automatic mounts for me but I *do* want the filesystem
namespaces to be unshared. (I.e. I want 1 above but I don't want 2.)
Yesterday, I quickly hacked something to get what I want. I've added a
parameter "unshare" to pam_namespace which basically means "unshare the
namespaces no matter what". I'm attaching a patch against the version
of pam mentioned above. This is for *illustrative* purposes only. I'm
not pretending that this is the way a final solution should be
implemented.
Can this be implemented in some form?
Thanks,
Louis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_namespace_unshare.patch
Type: text/x-patch
Size: 2508 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080523/74bc2a5d/attachment.bin>
More information about the Pam-list
mailing list