suggestion: decouple unshare from mounting in pam_namespace

Fri May 23 17:28:25 UTC 2008

On Fri, 2008-05-23 at 10:24 -0400, Louis-Dominique Dubeau wrote:
> Hello everyone,
> 
> I'm writing from the perspective of someone using Ubuntu 8.04.  The
> version of pam installed on my machine is 0.99.7.1-5ubuntu6.1.  However,
> based on inspecting the latest version of pam, I believe what I'm
> talking about applies to pam in general and not just the version shipped
> with Ubuntu 8.04.
> 
> I have a suggestion for a change to pam_namespace.  As it is currently
> coded, pam_namespace will make a call to unshare if and only if there
> are mounts declared in /etc/security/namespace.conf and those mounts
> apply to the session being established.  When pam_namespace determines
> that it must perform a mount operation, it performs two tasks:
> 
> 1. It makes a call to the unshare syscall to unshare filesystem
> namespaces.
> 
> 2. It performs the mounts as specified in /etc/security/namespace.conf.
> 
> I'm operating in a scenario where I do *not* want pam_namespace to
> perform automatic mounts for me but I *do* want the filesystem
> namespaces to be unshared.  (I.e. I want 1 above but I don't want 2.)
> 
> Yesterday, I quickly hacked something to get what I want. I've added a
> parameter "unshare" to pam_namespace which basically means "unshare the
> namespaces no matter what".  I'm attaching a patch against the version
> of pam mentioned above.  This is for *illustrative* purposes only.  I'm
> not pretending that this is the way a final solution should be
> implemented. 
> 
> Can this be implemented in some form?

It makes sense somewhat. But with the KISS principle in mind - when you
want just the unshare, why not create a new module called pam_unshare,
which would just call unshare and not do anything else? I think we could
accept such module into Linux-PAM.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb