diff options
Diffstat (limited to 'Linux-PAM/modules/pam_namespace/README')
-rw-r--r-- | Linux-PAM/modules/pam_namespace/README | 168 |
1 files changed, 0 insertions, 168 deletions
diff --git a/Linux-PAM/modules/pam_namespace/README b/Linux-PAM/modules/pam_namespace/README deleted file mode 100644 index cf5814e3..00000000 --- a/Linux-PAM/modules/pam_namespace/README +++ /dev/null @@ -1,168 +0,0 @@ -pam_namespace — PAM module for configuring namespace for a session - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_namespace PAM module sets up a private namespace for a session with -polyinstantiated directories. A polyinstantiated directory provides a different -instance of itself based on user name, or when using SELinux, user name, -security context or both. If an executable script /etc/security/namespace.init -exists, it is used to initialize the namespace every time a new instance -directory is setup. The script receives the polyinstantiated directory path and -the instance directory path as its arguments. - -The pam_namespace module disassociates the session namespace from the parent -namespace. Any mounts/unmounts performed in the parent namespace, such as -mounting of devices, are not reflected in the session namespace. To propagate -selected mount/unmount events from the parent namespace into the disassociated -session namespace, an administrator may use the special shared-subtree feature. -For additional information on shared-subtree feature, please refer to the mount -(8) man page and the shared-subtree description at http://lwn.net/Articles/ -159077 and http://lwn.net/Articles/159092. - -OPTIONS - -debug - - A lot of debug information is logged using syslog - -unmnt_remnt - - For programs such as su and newrole, the login session has already setup a - polyinstantiated namespace. For these programs, polyinstantiation is - performed based on new user id or security context, however the command - first needs to undo the polyinstantiation performed by login. This argument - instructs the command to first undo previous polyinstantiation before - proceeding with new polyinstantiation based on new id/context - -unmnt_only - - For trusted programs that want to undo any existing bind mounts and process - instance directories on their own, this argument allows them to unmount - currently mounted instance directories - -require_selinux - - If selinux is not enabled, return failure - -gen_hash - - Instead of using the security context string for the instance name, - generate and use its md5 hash. - -ignore_config_error - - If a line in the configuration file corresponding to a polyinstantiated - directory contains format error, skip that line process the next line. - Without this option, pam will return an error to the calling program - resulting in termination of the session. - -ignore_instance_parent_mode - - Instance parent directories by default are expected to have the restrictive - mode of 000. Using this option, an administrator can choose to ignore the - mode of the instance parent. This option should be used with caution as it - will reduce security and isolation goals of the polyinstantiation - mechanism. - -no_unmount_on_close - - For certain trusted programs such as newrole, open session is called from a - child process while the parent perfoms close session and pam end functions. - For these commands use this option to instruct pam_close_session to not - unmount the bind mounted polyinstantiated directory in the parent. - -DESCRIPTION - -This module allows setup of private namespaces with polyinstantiated -directories. Directories can be polyinstantiated based on user name or, in the -case of SELinux, user name, sensitivity level or complete security context. If -an executable script /etc/security/namespace.init exists, it is used to -initialize the namespace every time a new instance directory is setup. The -script receives the polyinstantiated directory path and the instance directory -path as its arguments. - -The /etc/security/namespace.conf file specifies which directories are -polyinstantiated, how they are polyinstantiated, how instance directories would -be named, and any users for whom polyinstantiation would not be performed. - -When someone logs in, the file namespace.conf is scanned where each non comment -line represents one polyinstantiated directory with space separated fields as -follows: - -polydir instance_prefix method list_of_uids - -The first field, polydir, is the absolute pathname of the directory to -polyinstantiate. Special entry $HOME is supported to designate user's home -directory. This field cannot be blank. - -The second field, instance_prefix is the string prefix used to build the -pathname for the instantiation of <polydir>. Depending on the polyinstantiation -method it is then appended with "instance differentiation string" to generate -the final instance directory path. This directory is created if it did not -exist already, and is then bind mounted on the <polydir> to provide an instance -of <polydir> based on the <method> column. The special string $HOME is replaced -with the user's home directory, and $USER with the username. This field cannot -be blank. The directory where polyinstantiated instances are to be created, -must exist and must have, by default, the mode of 000. The requirement that the -instance parent be of mode 000 can be overridden with the command line option -ignore_instance_parent_mode - -The third field, method, is the method used for polyinstantiation. It can take -3 different values; "user" for polyinstantiation based on user name, "level" -for polyinstantiation based on process MLS level and user name, and "context" -for polyinstantiation based on process security context and user name Methods -"context" and "level" are only available with SELinux. This field cannot be -blank. - -The fourth field, list_of_uids, is a comma separated list of user names for -whom the polyinstantiation is not performed. If left blank, polyinstantiation -will be performed for all users. - -In case of context or level polyinstantiation the SELinux context which is used -for polyinstantiation is the context used for executing a new process as -obtained by getexeccon. This context must be set by the calling application or -pam_selinux.so module. If this context is not set the polyinstatiation will be -based just on user name. - -The "instance differentiation string" is <user name> for "user" method and -<user name>_<raw directory context> for "context" and "level" methods. If the -whole string is too long the end of it is replaced with md5sum of itself. Also -when command line option gen_hash is used the whole string is replaced with -md5sum of itself. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -namespace.conf. - - - # The following three lines will polyinstantiate /tmp, - # /var/tmp and user's home directories. /tmp and /var/tmp - # will be polyinstantiated based on the security level - # as well as user name, whereas home directory will be - # polyinstantiated based on the full security context and user name. - # Polyinstantiation will not be performed for user root - # and adm for directories /tmp and /var/tmp, whereas home - # directories will be polyinstantiated for all users. - # - # Note that instance directories do not have to reside inside - # the polyinstantiated directory. In the examples below, - # instances of /tmp will be created in /tmp-inst directory, - # where as instances of /var/tmp and users home directories - # will reside within the directories that are being - # polyinstantiated. - # - /tmp /tmp-inst/ level root,adm - /var/tmp /var/tmp/tmp-inst/ level root,adm - $HOME $HOME/$USER.inst/inst- context - - -For the <service>s you need polyinstantiation (login for example) put the -following line in /etc/pam.d/<service> as the last line for session group: - -session required pam_namespace.so [arguments] - -This module also depends on pam_selinux.so setting the context. - |