pam_namespace: secure tmp-inst directories

When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.

Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.

Closes #111.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf
index b611a0f2..75ec6193 100644
--- a/modules/pam_namespace/namespace.conf
+++ b/modules/pam_namespace/namespace.conf
@@ -21,7 +21,10 @@
 # is explicitly called with an argument to ignore the mode of the
 # instance parent. System administrators should use this argument with
 # caution, as it will reduce security and isolation achieved by
-# polyinstantiation.
+# polyinstantiation. The parent directories (except $HOME) are created
+# at boot by pam_namespace_helper, but in a live system, system
+# administrators should create the parent directories before enabling
+# them here.
 #
 #/tmp     /tmp-inst/       	level      root,adm
 #/var/tmp /var/tmp/tmp-inst/   	level      root,adm