diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2019-05-10 22:11:40 +0300 |
|---|---|---|
| committer | Tomáš Mráz <t8m@users.noreply.github.com> | 2020-02-18 13:18:16 +0100 |
| commit | 59812d1cf1127a1af65b530addff76be767092b1 (patch) | |
| tree | c05252f35d58f485d13af5988cd340a80b3e1121 /modules/pam_namespace/Makefile.am | |
| parent | c7a66c8ca510e12f43355ac7cc893834964235b7 (diff) | |
pam_namespace: secure tmp-inst directories
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'modules/pam_namespace/Makefile.am')
| -rw-r--r-- | modules/pam_namespace/Makefile.am | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 0a290160..dc7189f8 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -8,7 +8,7 @@ MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README if HAVE_DOC MAN5 = namespace.conf.5 -MAN8 = pam_namespace.8 +MAN8 = pam_namespace.8 pam_namespace_helper.8 endif EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace @@ -18,11 +18,12 @@ if HAVE_UNSHARE man_MANS = $(MAN5) $(MAN8) endif -XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(prefix)/lib/systemd AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) @@ -43,11 +44,18 @@ if HAVE_UNSHARE install-data-local: mkdir -p $(DESTDIR)$(namespaceddir) + mkdir -p $(DESTDIR)$(servicedir) + $(INSTALL_DATA) pam_namespace.service $(DESTDIR)$(servicedir) + + sbin_SCRIPTS = pam_namespace_helper + +uninstall-local: + -rm $(DESTDIR)$(servicedir)/pam_namespace.service endif if ENABLE_REGENERATE_MAN noinst_DATA = README -README: pam_namespace.8.xml namespace.conf.5.xml +README: pam_namespace.8.xml namespace.conf.5.xml pam_namespace_helper.8.xml -include $(top_srcdir)/Make.xml.rules endif |