|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/21585/root/usr/share/doc/pam-0.99.6.2/html/ |
Upload File : |
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>6.20. pam_namespace - setup a private namespace</title><meta name="generator" content="DocBook XSL Stylesheets V1.69.1"><link rel="start" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_motd.html" title="6.19. pam_motd - display the motd file"><link rel="next" href="sag-pam_nologin.html" title="6.21. pam_nologin - prevent non-root users from login"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.20. pam_namespace - setup a private namespace</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_motd.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_nologin.html">Next</a></td></tr></table><hr></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_namespace"></a>6.20. pam_namespace - setup a private namespace</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_namespace.so</code> [
debug
] [
unmnt_remnt
] [
unmnt_only
] [
require_selinux
] [
gen_hash
] [
ignore_config_error
] [
ignore_instance_parent_mode
] [
no_unmount_on_close
]</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-description"></a>6.20.1. DESCRIPTION</h3></div></div></div><p>
The pam_namespace PAM module sets up a private namespace for a session
with polyinstantiated directories. A polyinstantiated directory
provides a different instance of itself based on user name, or when
using SELinux, user name, security context or both. If an executable
script <code class="filename">/etc/security/namespace.init</code> exists, it
is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
directory path and the instance directory path as its arguments.
</p><p>
The pam_namespace module disassociates the session namespace from
the parent namespace. Any mounts/unmounts performed in the parent
namespace, such as mounting of devices, are not reflected in the
session namespace. To propagate selected mount/unmount events from
the parent namespace into the disassociated session namespace, an
administrator may use the special shared-subtree feature. For
additional information on shared-subtree feature, please refer to
the mount(8) man page and the shared-subtree description at
http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-namespace.conf-description"></a>6.20.2. DESCRIPTION</h3></div></div></div><p>
This module allows setup of private namespaces with polyinstantiated
directories. Directories can be polyinstantiated based on user name
or, in the case of SELinux, user name, sensitivity level or complete security context. If an
executable script <code class="filename">/etc/security/namespace.init</code>
exists, it is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
directory path and the instance directory path as its arguments.
</p><p>
The <code class="filename">/etc/security/namespace.conf</code> file specifies
which directories are polyinstantiated, how they are polyinstantiated,
how instance directories would be named, and any users for whom
polyinstantiation would not be performed.
</p><p>
When someone logs in, the file <code class="filename">namespace.conf</code> is
scanned where each non comment line represents one polyinstantiated
directory with space separated fields as follows:
</p><p>
<em class="replaceable"><code>polydir</code></em> <em class="replaceable"><code> instance_prefix</code></em> <em class="replaceable"><code> method</code></em> <em class="replaceable"><code> list_of_uids</code></em>
</p><p>
The first field, <em class="replaceable"><code>polydir</code></em>, is the absolute
pathname of the directory to polyinstantiate. The special string $HOME
in entry is replaced with user's home directory. This field cannot be
blank.
</p><p>
The second field, <em class="replaceable"><code>instance_prefix</code></em> is
the string prefix used to build the pathname for the instantiation
of <polydir>. The directory security context, or optionally its
md5sum string (32 hex characters), is appended to the prefix to
generate the final instance directory path. This directory is
created if it did not exist already, and is then bind mounted on the
<polydir> to provide an instance of <polydir> based on the
<method> column. The special string $HOME is replaced with the
user's home directory, and $USER with the username. This field cannot
be blank. The directory where polyinstantiated instances are to be
created, must exist and must have, by default, the mode of 000. The
requirement that the instance parent be of mode 000 can be overridden
with the command line option <ignore_instance_parent_mode>
</p><p>
The third field, <em class="replaceable"><code>method</code></em>, is the method
used for polyinstantiation. It can take 3 different values; "user"
for polyinstantiation based on user name, "level" for
polyinstantiation based on process MLS level and user name, and "context" for
polyinstantiation based on process security context and user name
Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</p><p>
The fourth field, <em class="replaceable"><code>list_of_uids</code></em>, is
a comma separated list of user names for whom the polyinstantiation
is not performed. If left blank, polyinstantiation will be performed
for all users.
</p><p>
In case of context or level polyinstantiation the SELinux context
which is used for polyinstantiation is the context used for executing
a new process as obtained by getexeccon. This context must be set
by the calling application or <code class="filename">pam_selinux.so</code>
module. If this context is not set the polyinstatiation will be
based just on user name.
</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-options"></a>6.20.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
A lot of debug information is logged using syslog
</p></dd><dt><span class="term">
<code class="option">unmnt_remnt</code>
</span></dt><dd><p>
For programs such as su and newrole, the login
session has already setup a polyinstantiated
namespace. For these programs, polyinstantiation
is performed based on new user id or security
context, however the command first needs to
undo the polyinstantiation performed by login.
This argument instructs the command to
first undo previous polyinstantiation before
proceeding with new polyinstantiation based on
new id/context
</p></dd><dt><span class="term">
<code class="option">unmnt_only</code>
</span></dt><dd><p>
For trusted programs that want to undo any
existing bind mounts and process instance
directories on their own, this argument allows
them to unmount currently mounted instance
directories
</p></dd><dt><span class="term">
<code class="option">require_selinux</code>
</span></dt><dd><p>
If selinux is not enabled, return failure
</p></dd><dt><span class="term">
<code class="option">gen_hash</code>
</span></dt><dd><p>
Instead of using the security context string
for the instance name, generate and use its
md5 hash.
</p></dd><dt><span class="term">
<code class="option">ignore_config_error</code>
</span></dt><dd><p>
If a line in the configuration file corresponding
to a polyinstantiated directory contains format
error, skip that line process the next line.
Without this option, pam will return an error
to the calling program resulting in termination
of the session.
</p></dd><dt><span class="term">
<code class="option">ignore_instance_parent_mode</code>
</span></dt><dd><p>
Instance parent directories by default are expected to have
the restrictive mode of 000. Using this option, an administrator
can choose to ignore the mode of the instance parent. This option
should be used with caution as it will reduce security and
isolation goals of the polyinstantiation mechanism.
</p></dd><dt><span class="term">
<code class="option">no_unmount_on_close</code>
</span></dt><dd><p>
For certain trusted programs such as newrole, open session
is called from a child process while the parent perfoms
close session and pam end functions. For these commands
use this option to instruct pam_close_session to not
unmount the bind mounted polyinstantiated directory in the
parent.
</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-services"></a>6.20.4. MODULE SERVICES PROVIDED</h3></div></div></div><p>
The <code class="option">session</code> service is supported.
</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-return_values"></a>6.20.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Namespace setup was successful.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Unexpected system error occurred while setting up namespace.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Unexpected namespace configuration error occurred.
</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-files"></a>6.20.6. FILES</h3></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/security/namespace.conf</code></span></dt><dd><p>Configuration file</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-namespace.conf-examples"></a>6.20.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/namespace.conf</code>.
</p><div class="literallayout"><p><br>
# The following three lines will polyinstantiate /tmp,<br>
# /var/tmp and user's home directories. /tmp and /var/tmp<br>
# will be polyinstantiated based on the security level<br>
# as well as user name, whereas home directory will be<br>
# polyinstantiated based on the full security context and user name.<br>
# Polyinstantiation will not be performed for user root<br>
# and adm for directories /tmp and /var/tmp, whereas home<br>
# directories will be polyinstantiated for all users.<br>
#<br>
# Note that instance directories do not have to reside inside<br>
# the polyinstantiated directory. In the examples below,<br>
# instances of /tmp will be created in /tmp-inst directory,<br>
# where as instances of /var/tmp and users home directories<br>
# will reside within the directories that are being<br>
# polyinstantiated.<br>
#<br>
/tmp /tmp-inst/ level root,adm<br>
/var/tmp /var/tmp/tmp-inst/ level root,adm<br>
$HOME $HOME/$USER.inst/inst- context<br>
</p></div><p>
For the <service>s you need polyinstantiation (login for example)
put the following line in /etc/pam.d/<service> as the last line for
session group:
</p><p>
session required pam_namespace.so [arguments]
</p><p>
This module also depends on pam_selinux.so setting the context.
</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-authors"></a>6.20.8. AUTHORS</h3></div></div></div><p>
The namespace setup scheme was designed by Stephen Smalley, Janak Desai
and Chad Sellers.
The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_motd.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_nologin.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.19. pam_motd - display the motd file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.21. pam_nologin - prevent non-root users from login</td></tr></table></div></body></html>