pam_namespace: secure tmp-inst directories

When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace creates subdirectories with fixed name tmp-inst. These paths should be secured as early as possible to avoid that somehow these directories could created and controlled by for example a malicious user or service. Ship a systemd service, which creates the directories early in boot sequence with correct permissions and ownership. Closes #111. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
author: Topi Miettinen <toiwoton@gmail.com> 2019-05-10 22:11:40 +0300
committer: Tomáš Mráz <t8m@users.noreply.github.com> 2020-02-18 13:18:16 +0100
commit: 59812d1cf1127a1af65b530addff76be767092b1 (patch)
tree: c05252f35d58f485d13af5988cd340a80b3e1121 /modules/pam_namespace/pam_namespace_helper.in
parent: c7a66c8ca510e12f43355ac7cc893834964235b7 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/modules/pam_namespace/pam_namespace_helper.in b/modules/pam_namespace/pam_namespace_helper.in
new file mode 100644
index 00000000..b9c361fb
--- /dev/null
+++ b/modules/pam_namespace/pam_namespace_helper.in
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+CONF=@SCONFIGDIR@/namespace.conf
+
+# Match logic of process_line(), except lines with $HOME are ignored
+# skip the leading white space, rip off the comments, ignore empty lines
+sed -e 's/^[ 	]*//g' -e 's/#.*//g' -e '/.*\$HOME.*/d'  -e '/^$/d' < $CONF | \
+    while read polydir instance_prefix method uids; do
+	if [ ! -e "$instance_prefix" ]; then
+	    echo "mkdir $instance_prefix"
+	    mkdir --parents --mode=0 -Z "$instance_prefix"
+	fi
+    done
+
+exit 0
author	Topi Miettinen <toiwoton@gmail.com>	2019-05-10 22:11:40 +0300
committer	Tomáš Mráz <t8m@users.noreply.github.com>	2020-02-18 13:18:16 +0100
commit	59812d1cf1127a1af65b530addff76be767092b1 (patch)
tree	c05252f35d58f485d13af5988cd340a80b3e1121 /modules/pam_namespace/pam_namespace_helper.in
parent	c7a66c8ca510e12f43355ac7cc893834964235b7 (diff)