diff options
Diffstat (limited to 'modules/pam_namespace')
| -rw-r--r-- | modules/pam_namespace/Makefile.am | 6 | ||||
| -rw-r--r-- | modules/pam_namespace/Makefile.in | 17 | ||||
| -rw-r--r-- | modules/pam_namespace/README | 13 | ||||
| -rw-r--r-- | modules/pam_namespace/README.xml | 37 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.c | 4 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5 | 8 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5.xml | 37 | ||||
| -rwxr-xr-x | modules/pam_namespace/namespace.init | 2 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8 | 30 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8.xml | 111 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 154 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.h | 18 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8 | 8 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8.xml | 21 |
14 files changed, 309 insertions, 157 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 47cc38e1..507beea7 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -16,12 +16,16 @@ dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif namespaceddir = $(SCONFIGDIR)/namespace.d servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index e21c836d..8fc29dc1 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -441,6 +441,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -453,11 +454,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -489,12 +492,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -517,6 +522,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -527,12 +533,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -606,11 +616,12 @@ XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper. dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) noinst_HEADERS = md5.h pam_namespace.h argv_parse.h diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index 106a073a..c5a6ec4d 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -14,6 +14,9 @@ polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments. +If /etc/security/namespace.init does not exist, %vendordir%/security/ +namespace.init is the alternative to be used for it. + The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate @@ -117,6 +120,16 @@ The /etc/security/namespace.conf file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. +The /etc/security/namespace.conf file ( or %vendordir%/security/namespace.conf +if it does not exist) specifies which directories are polyinstantiated, how +they are polyinstantiated, how instance directories would be named, and any +users for whom polyinstantiation would not be performed. Then individual *.conf +files from the /etc/security/namespace.d/ and %vendordir%/security/namespace.d +directories are taken too. If /etc/security/namespace.d/@filename@.conf exists, +then %vendordir%/security/namespace.d/@filename@.conf will not be used. All +namespace.d/*.conf files are sorted by their @filename@.conf in lexicographic +order regardless of which of the directories they reside in. + When someone logs in, the file namespace.conf is scanned. Comments are marked by # characters. Each non comment line represents one polyinstantiated directory. The fields are separated by spaces but can be quoted by " characters diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml index 4ef99c9f..f94cb065 100644 --- a/modules/pam_namespace/README.xml +++ b/modules/pam_namespace/README.xml @@ -1,44 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> ---> -<!-- -<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index 22e41ee0..07ad9a02 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -21,6 +21,8 @@ #include "md5.h" #include <string.h> +#include "pam_inline.h" + #define MD5Name(x) x #ifdef WORDS_BIGENDIAN @@ -149,7 +151,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); byteReverse(ctx->buf.c, 4); memcpy(digest, ctx->buf.c, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + pam_overwrite_object(ctx); /* In case it's sensitive */ } /* The four core functions - F1 is optimized somewhat */ diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index ff122cbf..cf2509ca 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index a94b49e2..d398639b 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="namespace.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="namespace.conf"> <refmeta> <refentrytitle>namespace.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -16,7 +13,7 @@ </refnamediv> - <refsect1 id='namespace.conf-description'> + <refsect1 xml:id="namespace.conf-description"> <title>DESCRIPTION</title> <para> @@ -30,13 +27,29 @@ directory path and the instance directory path as its arguments. </para> - <para> + <para condition="without_vendordir"> The <filename>/etc/security/namespace.conf</filename> file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. </para> + <para condition="with_vendordir"> + The <filename>/etc/security/namespace.conf</filename> file + ( or <filename>%vendordir%/security/namespace.conf</filename> if it does + not exist) specifies which directories are polyinstantiated, how they are + polyinstantiated, how instance directories would be named, and any users + for whom polyinstantiation would not be performed. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/namespace.d/</filename> and + <filename>%vendordir%/security/namespace.d</filename> directories are taken too. + If <filename>/etc/security/namespace.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/namespace.d/@filename@.conf</filename> will not be used. + All <filename>namespace.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + </para> + <para> When someone logs in, the file <filename>namespace.conf</filename> is scanned. Comments are marked by <emphasis>#</emphasis> characters. @@ -159,7 +172,7 @@ </refsect1> - <refsect1 id="namespace.conf-examples"> + <refsect1 xml:id="namespace.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -204,7 +217,7 @@ </refsect1> - <refsect1 id="namespace.conf-see_also"> + <refsect1 xml:id="namespace.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, @@ -213,11 +226,11 @@ </para> </refsect1> - <refsect1 id="namespace.conf-author"> + <refsect1 xml:id="namespace.conf-author"> <title>AUTHORS</title> <para> The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. More features added by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 67d4aa2d..d9053a13 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -16,7 +16,7 @@ if [ "$3" = 1 ]; then cp -rT /etc/skel "$homedir" chown -R "$user":"$gid" "$homedir" mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) - mode=$(printf "%o" $((0777 & ~$mask))) + mode=$(printf "%o" $((0777 & ~mask))) chmod ${mode:-700} "$homedir" [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" fi diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index d0afb6c6..3c9e9b39 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,57 +41,57 @@ exists, it is used to initialize the instance directory after it is set up and m The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is logged using syslog .RE .PP -\fBunmnt_remnt\fR +unmnt_remnt .RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context .RE .PP -\fBunmnt_only\fR +unmnt_only .RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories .RE .PP -\fBrequire_selinux\fR +require_selinux .RS 4 If selinux is not enabled, return failure .RE .PP -\fBgen_hash\fR +gen_hash .RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash\&. .RE .PP -\fBignore_config_error\fR +ignore_config_error .RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. .RE .PP -\fBignore_instance_parent_mode\fR +ignore_instance_parent_mode .RS 4 Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. .RE .PP -\fBunmount_on_close\fR +unmount_on_close .RS 4 Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. .RE .PP -\fBuse_current_context\fR +use_current_context .RS 4 Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. .RE .PP -\fBuse_default_context\fR +use_default_context .RS 4 Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. .RE .PP -\fBmount_private\fR +mount_private .RS 4 This option can be used on systems where the / mount point or its submounts are made shared (for example with a \fBmount \-\-make\-rshared /\fR diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index 57c44c4b..598037a4 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_namespace'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace"> <refmeta> <refentrytitle>pam_namespace</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_namespace-name'> + <refnamediv xml:id="pam_namespace-name"> <refname>pam_namespace</refname> <refpurpose> PAM module for configuring namespace for a session @@ -20,46 +17,46 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace-cmdsynopsis" sepchar=" "> <command>pam_namespace.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_remnt </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_selinux </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> gen_hash </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_config_error </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_instance_parent_mode </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmount_on_close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_default_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> mount_private </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace-description"> + <refsect1 xml:id="pam_namespace-description"> <title>DESCRIPTION</title> <para> The pam_namespace PAM module sets up a private namespace for a session @@ -74,6 +71,12 @@ and the user name as its arguments. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/namespace.init</filename> does not exist, + <filename>%vendordir%/security/namespace.init</filename> is the + alternative to be used for it. + </para> + <para> The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent @@ -88,13 +91,13 @@ </refsect1> - <refsect1 id="pam_namespace-options"> + <refsect1 xml:id="pam_namespace-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -105,7 +108,7 @@ <varlistentry> <term> - <option>unmnt_remnt</option> + unmnt_remnt </term> <listitem> <para> @@ -125,7 +128,7 @@ <varlistentry> <term> - <option>unmnt_only</option> + unmnt_only </term> <listitem> <para> @@ -140,7 +143,7 @@ <varlistentry> <term> - <option>require_selinux</option> + require_selinux </term> <listitem> <para> @@ -151,7 +154,7 @@ <varlistentry> <term> - <option>gen_hash</option> + gen_hash </term> <listitem> <para> @@ -164,7 +167,7 @@ <varlistentry> <term> - <option>ignore_config_error</option> + ignore_config_error </term> <listitem> <para> @@ -180,7 +183,7 @@ <varlistentry> <term> - <option>ignore_instance_parent_mode</option> + ignore_instance_parent_mode </term> <listitem> <para> @@ -195,7 +198,7 @@ <varlistentry> <term> - <option>unmount_on_close</option> + unmount_on_close </term> <listitem> <para> @@ -212,7 +215,7 @@ <varlistentry> <term> - <option>use_current_context</option> + use_current_context </term> <listitem> <para> @@ -226,7 +229,7 @@ <varlistentry> <term> - <option>use_default_context</option> + use_default_context </term> <listitem> <para> @@ -240,7 +243,7 @@ <varlistentry> <term> - <option>mount_private</option> + mount_private </term> <listitem> <para> @@ -265,7 +268,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-types"> + <refsect1 xml:id="pam_namespace-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. @@ -273,7 +276,7 @@ </para> </refsect1> - <refsect1 id="pam_namespace-return_values"> + <refsect1 xml:id="pam_namespace-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -303,33 +306,57 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-files"> + <refsect1 xml:id="pam_namespace-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/namespace.conf</filename></term> + <term>/etc/security/namespace.conf</term> <listitem> <para>Main configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/namespace.conf</filename> does not exist.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.d</filename></term> + <term>/etc/security/namespace.d</term> <listitem> <para>Directory for additional configuration files</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.d</term> + <listitem> + <para>Directory for additional vendor specific configuration files.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.init</filename></term> + <term>/etc/security/namespace.init</term> <listitem> <para>Init script for instance directories</para> </listitem> </varlistentry> + + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.init</term> + <listitem> + <para>Vendor init script for instance directories if + /etc/security/namespace.init does not exist. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_namespace-examples"> + <refsect1 xml:id="pam_namespace-examples"> <title>EXAMPLES</title> <para> @@ -349,7 +376,7 @@ </refsect1> - <refsect1 id="pam_namespace-see_also"> + <refsect1 xml:id="pam_namespace-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -367,7 +394,7 @@ </para> </refsect1> - <refsect1 id="pam_namespace-authors"> + <refsect1 xml:id="pam_namespace-authors"> <title>AUTHORS</title> <para> The namespace setup scheme was designed by Stephen Smalley, Janak Desai @@ -378,4 +405,4 @@ <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 4d4188d0..f34ce934 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -39,6 +39,94 @@ #include "pam_namespace.h" #include "argv_parse.h" +/* --- evaluting all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (char * const *) a), + base_name(* (char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then + * %vendordir%/security/namespace.d/@filename@.conf should not be used. + * - All files in both namespace.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_namespace_dir(struct instance_data *idata) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_NAMESPACE_D_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* * Adds an entry for a polyinstantiated directory to the linked list of * polyinstantiated directories. It is called from process_line() while @@ -624,8 +712,6 @@ static int parse_config_file(struct instance_data *idata) char *line; int retval; size_t len = 0; - glob_t globbuf; - const char *oldlocale; size_t n; /* @@ -664,13 +750,16 @@ static int parse_config_file(struct instance_data *idata) * process_line to process each line. */ - memset(&globbuf, '\0', sizeof(globbuf)); - oldlocale = setlocale(LC_COLLATE, "C"); - glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); - if (oldlocale != NULL) - setlocale(LC_COLLATE, oldlocale); - confname = PAM_NAMESPACE_CONFIG; +#ifdef VENDOR_PAM_NAMESPACE_CONFIG + /* Check whether PAM_NAMESPACE_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_NAMESPACE_CONFIG file. */ + struct stat buffer; + if (stat(confname, &buffer) != 0 && errno == ENOENT) { + confname = VENDOR_PAM_NAMESPACE_CONFIG; + } +#endif + char **filename_list = read_namespace_dir(idata); n = 0; for (;;) { if (idata->flags & PAMNS_DEBUG) @@ -680,7 +769,6 @@ static int parse_config_file(struct instance_data *idata) if (fil == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", confname); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -698,7 +786,6 @@ static int parse_config_file(struct instance_data *idata) "Error processing conf file %s line %s", confname, line); fclose(fil); free(line); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -707,14 +794,18 @@ static int parse_config_file(struct instance_data *idata) fclose(fil); free(line); - if (n >= globbuf.gl_pathc) + if (filename_list == NULL || filename_list[n] == NULL) break; - confname = globbuf.gl_pathv[n]; - n++; + confname = filename_list[n++]; + } + + if (filename_list != NULL) { + for (size_t i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); } - globfree(&globbuf); free(rhome); free(home); @@ -1250,16 +1341,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, struct instance_data *idata, int newdir) { pid_t rc, pid; - struct sigaction newsa, oldsa; int status; const char *init_script = NAMESPACE_INIT_SCRIPT; - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = SIG_DFL; - if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); - return PAM_SESSION_ERR; +#ifdef VENDOR_NAMESPACE_INIT_SCRIPT + /* Check whether NAMESPACE_INIT_SCRIPT file is available. + * If it does not exist, fall back to VENDOR_NAMESPACE_INIT_SCRIPT file. */ + struct stat buffer; + if (stat(init_script, &buffer) != 0 && errno == ENOENT) { + init_script = VENDOR_NAMESPACE_INIT_SCRIPT; } +#endif if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) init_script = polyptr->init_script; @@ -1269,9 +1361,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Namespace init script not executable"); - rc = PAM_SESSION_ERR; - goto out; + return PAM_SESSION_ERR; } else { + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); + return PAM_SESSION_ERR; + } + pid = fork(); if (pid == 0) { static char *envp[] = { NULL }; @@ -1309,13 +1409,13 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, rc = PAM_SESSION_ERR; goto out; } + rc = PAM_SUCCESS; +out: + (void) sigaction(SIGCHLD, &oldsa, NULL); + return rc; } } - rc = PAM_SUCCESS; -out: - (void) sigaction(SIGCHLD, &oldsa, NULL); - - return rc; + return PAM_SUCCESS; } static int create_polydir(struct polydir_s *polyptr, diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index b51f2841..a991b4c4 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -30,7 +30,7 @@ * DEALINGS IN THE SOFTWARE. */ -#if !(defined(linux)) +#ifndef __linux__ #error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -90,15 +90,17 @@ /* * Module defines */ -#ifndef SECURECONF_DIR -#define SECURECONF_DIR "/etc/security/" +#define PAM_NAMESPACE_CONFIG (SCONFIGDIR "/namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SCONFIGDIR "/namespace.init") +#define NAMESPACE_D_DIR (SCONFIGDIR "/namespace.d/") +#define NAMESPACE_D_GLOB (SCONFIGDIR "/namespace.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_NAMESPACE_INIT_SCRIPT (VENDOR_SCONFIGDIR "/namespace.init") +#define VENDOR_PAM_NAMESPACE_CONFIG (VENDOR_SCONFIGDIR "/namespace.conf") +#define VENDOR_NAMESPACE_D_DIR (VENDOR_SCONFIGDIR "/namespace.d/") +#define VENDOR_NAMESPACE_D_GLOB (VENDOR_SCONFIGDIR "/namespace.d/*.conf") #endif -#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") -#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") -#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") -#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") - /* module flags */ #define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 index df93df2e..317cddc8 100644 --- a/modules/pam_namespace/pam_namespace_helper.8 +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NAMESPACE_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml index 2f5adbed..002c254a 100644 --- a/modules/pam_namespace/pam_namespace_helper.8.xml +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_namespace_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace_helper"> <refmeta> <refentrytitle>pam_namespace_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_namespace_helper-name"> + <refnamediv xml:id="pam_namespace_helper-name"> <refname>pam_namespace_helper</refname> <refpurpose>Helper binary that creates home directories</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace_helper-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace_helper-cmdsynopsis" sepchar=" "> <command>pam_namespace_helper</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace_helper-description"> + <refsect1 xml:id="pam_namespace_helper-description"> <title>DESCRIPTION</title> @@ -43,7 +40,7 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-see_also'> + <refsect1 xml:id="pam_namespace_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -52,11 +49,11 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-author'> + <refsect1 xml:id="pam_namespace_helper-author"> <title>AUTHOR</title> <para> Written by Topi Miettinen. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file |