diff options
Diffstat (limited to 'modules/pam_namespace')
| -rw-r--r-- | modules/pam_namespace/Makefile.am | 8 | ||||
| -rw-r--r-- | modules/pam_namespace/Makefile.in | 51 | ||||
| -rw-r--r-- | modules/pam_namespace/README | 13 | ||||
| -rw-r--r-- | modules/pam_namespace/README.xml | 37 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.c | 52 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.h | 10 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5 | 10 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5.xml | 39 | ||||
| -rwxr-xr-x | modules/pam_namespace/namespace.init | 2 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8 | 64 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8.xml | 154 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 235 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.h | 19 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8 | 8 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8.xml | 21 |
15 files changed, 409 insertions, 314 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 21e1b33a..507beea7 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -16,12 +16,16 @@ dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif namespaceddir = $(SCONFIGDIR)/namespace.d -servicedir = $(prefix)/lib/systemd/system +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index 7524287e..8fc29dc1 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -99,18 +99,21 @@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_namespace ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ @@ -384,6 +387,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -430,10 +434,14 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,12 +451,16 @@ ECONF_CFLAGS = @ECONF_CFLAGS@ ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -462,7 +474,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -481,12 +492,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,8 +522,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -521,11 +533,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -570,7 +587,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -578,9 +594,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -590,6 +603,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -602,11 +616,12 @@ XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper. dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d -servicedir = $(prefix)/lib/systemd/system +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) noinst_HEADERS = md5.h pam_namespace.h argv_parse.h @@ -1094,7 +1109,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index 106a073a..c5a6ec4d 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -14,6 +14,9 @@ polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments. +If /etc/security/namespace.init does not exist, %vendordir%/security/ +namespace.init is the alternative to be used for it. + The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate @@ -117,6 +120,16 @@ The /etc/security/namespace.conf file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. +The /etc/security/namespace.conf file ( or %vendordir%/security/namespace.conf +if it does not exist) specifies which directories are polyinstantiated, how +they are polyinstantiated, how instance directories would be named, and any +users for whom polyinstantiation would not be performed. Then individual *.conf +files from the /etc/security/namespace.d/ and %vendordir%/security/namespace.d +directories are taken too. If /etc/security/namespace.d/@filename@.conf exists, +then %vendordir%/security/namespace.d/@filename@.conf will not be used. All +namespace.d/*.conf files are sorted by their @filename@.conf in lexicographic +order regardless of which of the directories they reside in. + When someone logs in, the file namespace.conf is scanned. Comments are marked by # characters. Each non comment line represents one polyinstantiated directory. The fields are separated by spaces but can be quoted by " characters diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml index 4ef99c9f..f94cb065 100644 --- a/modules/pam_namespace/README.xml +++ b/modules/pam_namespace/README.xml @@ -1,44 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> ---> -<!-- -<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index b9a7f084..07ad9a02 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -18,14 +18,14 @@ * */ -#include <string.h> #include "md5.h" +#include <string.h> + +#include "pam_inline.h" #define MD5Name(x) x -#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) -#define byteReverse(buf, len) /* Nothing */ -#else +#ifdef WORDS_BIGENDIAN typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; static void byteReverse(uint8_aligned *buf, unsigned longs); @@ -43,6 +43,8 @@ static void byteReverse(uint8_aligned *buf, unsigned longs) buf += 4; } while (--longs); } +#else +#define byteReverse(buf, len) /* Nothing */ #endif /* @@ -51,10 +53,10 @@ static void byteReverse(uint8_aligned *buf, unsigned longs) */ void MD5Name(MD5Init)(struct MD5Context *ctx) { - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; + ctx->buf.i[0] = 0x67452301U; + ctx->buf.i[1] = 0xefcdab89U; + ctx->buf.i[2] = 0x98badcfeU; + ctx->buf.i[3] = 0x10325476U; ctx->bits[0] = 0; ctx->bits[1] = 0; @@ -80,7 +82,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign /* Handle any leading odd-sized chunks */ if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; + unsigned char *p = ctx->in.c + t; t = 64 - t; if (len < t) { @@ -88,24 +90,24 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign return; } memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += t; len -= t; } /* Process data in 64-byte chunks */ while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + memcpy(ctx->in.c, buf, 64); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += 64; len -= 64; } /* Handle any remaining bytes of data. */ - memcpy(ctx->in, buf, len); + memcpy(ctx->in.c, buf, len); } /* @@ -122,7 +124,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) /* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */ - p = ctx->in + count; + p = ctx->in.c + count; *p++ = 0x80; /* Bytes of padding needed to make 64 bytes */ @@ -132,24 +134,24 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) if (count < 8) { /* Two lots of padding: Pad the first block to 64 bytes */ memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); + memset(ctx->in.c, 0, 56); } else { /* Pad block to 56 bytes */ memset(p, 0, count - 8); } - byteReverse(ctx->in, 14); + byteReverse(ctx->in.c, 14); /* Append length in bits and transform */ - memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + byteReverse(ctx->buf.c, 4); + memcpy(digest, ctx->buf.c, 16); + pam_overwrite_object(ctx); /* In case it's sensitive */ } /* The four core functions - F1 is optimized somewhat */ diff --git a/modules/pam_namespace/md5.h b/modules/pam_namespace/md5.h index bded3302..501aab4b 100644 --- a/modules/pam_namespace/md5.h +++ b/modules/pam_namespace/md5.h @@ -7,9 +7,15 @@ typedef unsigned int uint32; struct MD5Context { - uint32 buf[4]; + union { + uint32 i[4]; + unsigned char c[16] PAM_ATTRIBUTE_ALIGNED(4); + } buf; uint32 bits[2]; - unsigned char in[64] PAM_ATTRIBUTE_ALIGNED(4); + union { + uint32 i[16]; + unsigned char c[64] PAM_ATTRIBUTE_ALIGNED(4); + } in; }; #define MD5_DIGEST_LENGTH 16 diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index be186c9d..e4e8cfdd 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -162,7 +162,7 @@ This module also depends on pam_selinux\&.so setting the context\&. .PP \fBpam_namespace\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHORS" .PP The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index a94b49e2..dcf69732 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="namespace.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="namespace.conf"> <refmeta> <refentrytitle>namespace.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -16,7 +13,7 @@ </refnamediv> - <refsect1 id='namespace.conf-description'> + <refsect1 xml:id="namespace.conf-description"> <title>DESCRIPTION</title> <para> @@ -30,13 +27,29 @@ directory path and the instance directory path as its arguments. </para> - <para> + <para condition="without_vendordir"> The <filename>/etc/security/namespace.conf</filename> file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. </para> + <para condition="with_vendordir"> + The <filename>/etc/security/namespace.conf</filename> file + ( or <filename>%vendordir%/security/namespace.conf</filename> if it does + not exist) specifies which directories are polyinstantiated, how they are + polyinstantiated, how instance directories would be named, and any users + for whom polyinstantiation would not be performed. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/namespace.d/</filename> and + <filename>%vendordir%/security/namespace.d</filename> directories are taken too. + If <filename>/etc/security/namespace.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/namespace.d/@filename@.conf</filename> will not be used. + All <filename>namespace.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + </para> + <para> When someone logs in, the file <filename>namespace.conf</filename> is scanned. Comments are marked by <emphasis>#</emphasis> characters. @@ -159,7 +172,7 @@ </refsect1> - <refsect1 id="namespace.conf-examples"> + <refsect1 xml:id="namespace.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -204,20 +217,20 @@ </refsect1> - <refsect1 id="namespace.conf-see_also"> + <refsect1 xml:id="namespace.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="namespace.conf-author"> + <refsect1 xml:id="namespace.conf-author"> <title>AUTHORS</title> <para> The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. More features added by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 67d4aa2d..d9053a13 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -16,7 +16,7 @@ if [ "$3" = 1 ]; then cp -rT /etc/skel "$homedir" chown -R "$user":"$gid" "$homedir" mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) - mode=$(printf "%o" $((0777 & ~$mask))) + mode=$(printf "%o" $((0777 & ~mask))) chmod ${mode:-700} "$homedir" [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" fi diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index 6fca41f4..d69f9fd6 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,57 +41,57 @@ exists, it is used to initialize the instance directory after it is set up and m The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is logged using syslog .RE .PP -\fBunmnt_remnt\fR +unmnt_remnt .RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context .RE .PP -\fBunmnt_only\fR +unmnt_only .RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories .RE .PP -\fBrequire_selinux\fR +require_selinux .RS 4 If selinux is not enabled, return failure .RE .PP -\fBgen_hash\fR +gen_hash .RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash\&. .RE .PP -\fBignore_config_error\fR +ignore_config_error .RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. .RE .PP -\fBignore_instance_parent_mode\fR +ignore_instance_parent_mode .RS 4 Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. .RE .PP -\fBunmount_on_close\fR +unmount_on_close .RS 4 Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. .RE .PP -\fBuse_current_context\fR +use_current_context .RS 4 Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. .RE .PP -\fBuse_default_context\fR +use_default_context .RS 4 Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. .RE .PP -\fBmount_private\fR +mount_private .RS 4 This option can be used on systems where the / mount point or its submounts are made shared (for example with a \fBmount \-\-make\-rshared /\fR @@ -142,43 +142,13 @@ For the <service>s you need polyinstantiation (login for example) put the follow .PP session required pam_namespace\&.so [arguments] .PP -To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: -.PP -/usr/sbin/gdm\-safe\-restart -.PP -This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script -/etc/security/namespace\&.init -to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script -/etc/security/namespace\&.init\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: -.PP -.if n \{\ -.RS 4 -.\} -.nf - 1\&. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg\&.conf\&. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/\&.font\-unix from the - polyinstantiated /tmp\&. - 2\&. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam\&.d/gdm\&. - 3\&. Ensure that the display manager is configured to restart X server - with each new session\&. This default setup can be verified by - making sure that /usr/share/gdm/defaults\&.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom\&.conf\&. - -.fi -.if n \{\ -.RE -.\} -.sp +To use polyinstantiation with graphical display manager gdm, please refer to gdm\*(Aqs documentation\&. .SH "SEE ALSO" .PP \fBnamespace.conf\fR(5), \fBpam.d\fR(5), \fBmount\fR(8), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index f0f80d33..954093d9 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_namespace'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace"> <refmeta> <refentrytitle>pam_namespace</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_namespace-name'> + <refnamediv xml:id="pam_namespace-name"> <refname>pam_namespace</refname> <refpurpose> PAM module for configuring namespace for a session @@ -20,46 +17,46 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace-cmdsynopsis" sepchar=" "> <command>pam_namespace.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_remnt </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_selinux </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> gen_hash </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_config_error </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_instance_parent_mode </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmount_on_close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_default_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> mount_private </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace-description"> + <refsect1 xml:id="pam_namespace-description"> <title>DESCRIPTION</title> <para> The pam_namespace PAM module sets up a private namespace for a session @@ -74,6 +71,12 @@ and the user name as its arguments. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/namespace.init</filename> does not exist, + <filename>%vendordir%/security/namespace.init</filename> is the + alternative to be used for it. + </para> + <para> The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent @@ -88,13 +91,13 @@ </refsect1> - <refsect1 id="pam_namespace-options"> + <refsect1 xml:id="pam_namespace-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -105,7 +108,7 @@ <varlistentry> <term> - <option>unmnt_remnt</option> + unmnt_remnt </term> <listitem> <para> @@ -125,7 +128,7 @@ <varlistentry> <term> - <option>unmnt_only</option> + unmnt_only </term> <listitem> <para> @@ -140,7 +143,7 @@ <varlistentry> <term> - <option>require_selinux</option> + require_selinux </term> <listitem> <para> @@ -151,7 +154,7 @@ <varlistentry> <term> - <option>gen_hash</option> + gen_hash </term> <listitem> <para> @@ -164,7 +167,7 @@ <varlistentry> <term> - <option>ignore_config_error</option> + ignore_config_error </term> <listitem> <para> @@ -180,7 +183,7 @@ <varlistentry> <term> - <option>ignore_instance_parent_mode</option> + ignore_instance_parent_mode </term> <listitem> <para> @@ -195,7 +198,7 @@ <varlistentry> <term> - <option>unmount_on_close</option> + unmount_on_close </term> <listitem> <para> @@ -212,7 +215,7 @@ <varlistentry> <term> - <option>use_current_context</option> + use_current_context </term> <listitem> <para> @@ -226,7 +229,7 @@ <varlistentry> <term> - <option>use_default_context</option> + use_default_context </term> <listitem> <para> @@ -240,7 +243,7 @@ <varlistentry> <term> - <option>mount_private</option> + mount_private </term> <listitem> <para> @@ -265,7 +268,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-types"> + <refsect1 xml:id="pam_namespace-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. @@ -273,7 +276,7 @@ </para> </refsect1> - <refsect1 id="pam_namespace-return_values"> + <refsect1 xml:id="pam_namespace-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -303,33 +306,57 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-files"> + <refsect1 xml:id="pam_namespace-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/namespace.conf</filename></term> + <term>/etc/security/namespace.conf</term> <listitem> <para>Main configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/namespace.conf</filename> does not exist.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.d</filename></term> + <term>/etc/security/namespace.d</term> <listitem> <para>Directory for additional configuration files</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.d</term> + <listitem> + <para>Directory for additional vendor specific configuration files.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.init</filename></term> + <term>/etc/security/namespace.init</term> <listitem> <para>Init script for instance directories</para> </listitem> </varlistentry> + + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.init</term> + <listitem> + <para>Vendor init script for instance directories if + /etc/security/namespace.init does not exist. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_namespace-examples"> + <refsect1 xml:id="pam_namespace-examples"> <title>EXAMPLES</title> <para> @@ -343,50 +370,13 @@ </para> <para> - To use polyinstantiation with graphical display manager gdm, insert the - following line, before exit 0, in /etc/gdm/PostSession/Default: - </para> - - <para> - /usr/sbin/gdm-safe-restart - </para> - - <para> - This allows gdm to restart after each session and appropriately adjust - namespaces of display manager and the X server. If polyinstantiation - of /tmp is desired along with the graphical environment, then additional - configuration changes are needed to address the interaction of X server - and font server namespaces with their use of /tmp to create - communication sockets. Please use the initialization script - <filename>/etc/security/namespace.init</filename> to ensure that - the X server and its clients can appropriately access the - communication socket X0. Please refer to the sample instructions - provided in the comment section of the instance initialization script - <filename>/etc/security/namespace.init</filename>. In addition, - perform the following changes to use graphical environment with - polyinstantiation of /tmp: - </para> - - <para> - <literallayout> - 1. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg.conf. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/.font-unix from the - polyinstantiated /tmp. - 2. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam.d/gdm. - 3. Ensure that the display manager is configured to restart X server - with each new session. This default setup can be verified by - making sure that /usr/share/gdm/defaults.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom.conf. - </literallayout> + To use polyinstantiation with graphical display manager gdm, please refer + to gdm's documentation. </para> </refsect1> - <refsect1 id="pam_namespace-see_also"> + <refsect1 xml:id="pam_namespace-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -399,12 +389,12 @@ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_namespace-authors"> + <refsect1 xml:id="pam_namespace-authors"> <title>AUTHORS</title> <para> The namespace setup scheme was designed by Stephen Smalley, Janak Desai @@ -415,4 +405,4 @@ <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 63b5c665..ef856443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -39,6 +39,94 @@ #include "pam_namespace.h" #include "argv_parse.h" +/* --- evaluting all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (char * const *) a), + base_name(* (char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then + * %vendordir%/security/namespace.d/@filename@.conf should not be used. + * - All files in both namespace.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_namespace_dir(struct instance_data *idata) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_NAMESPACE_D_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* * Adds an entry for a polyinstantiated directory to the linked list of * polyinstantiated directories. It is called from process_line() while @@ -624,8 +712,6 @@ static int parse_config_file(struct instance_data *idata) char *line; int retval; size_t len = 0; - glob_t globbuf; - const char *oldlocale; size_t n; /* @@ -664,13 +750,16 @@ static int parse_config_file(struct instance_data *idata) * process_line to process each line. */ - memset(&globbuf, '\0', sizeof(globbuf)); - oldlocale = setlocale(LC_COLLATE, "C"); - glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); - if (oldlocale != NULL) - setlocale(LC_COLLATE, oldlocale); - confname = PAM_NAMESPACE_CONFIG; +#ifdef VENDOR_PAM_NAMESPACE_CONFIG + /* Check whether PAM_NAMESPACE_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_NAMESPACE_CONFIG file. */ + struct stat buffer; + if (stat(confname, &buffer) != 0 && errno == ENOENT) { + confname = VENDOR_PAM_NAMESPACE_CONFIG; + } +#endif + char **filename_list = read_namespace_dir(idata); n = 0; for (;;) { if (idata->flags & PAMNS_DEBUG) @@ -680,7 +769,6 @@ static int parse_config_file(struct instance_data *idata) if (fil == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", confname); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -698,7 +786,6 @@ static int parse_config_file(struct instance_data *idata) "Error processing conf file %s line %s", confname, line); fclose(fil); free(line); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -707,14 +794,18 @@ static int parse_config_file(struct instance_data *idata) fclose(fil); free(line); - if (n >= globbuf.gl_pathc) + if (filename_list == NULL || filename_list[n] == NULL) break; - confname = globbuf.gl_pathv[n]; - n++; + confname = filename_list[n++]; + } + + if (filename_list != NULL) { + for (size_t i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); } - globfree(&globbuf); free(rhome); free(home); @@ -797,11 +888,11 @@ static char *md5hash(const char *instname, struct instance_data *idata) #ifdef WITH_SELINUX static int form_context(const struct polydir_s *polyptr, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) { int rc = PAM_SUCCESS; - security_context_t scon = NULL; + char *scon = NULL; security_class_t tclass; /* @@ -844,6 +935,12 @@ static int form_context(const struct polydir_s *polyptr, if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); + if (tclass == 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting dir security class"); + freecon(scon); + return PAM_SESSION_ERR; + } if (security_compute_member(scon, *origcon, tclass, i_context) < 0) { @@ -910,7 +1007,7 @@ static int form_context(const struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int poly_name(const struct polydir_s *polyptr, char **i_name, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) #else static int poly_name(const struct polydir_s *polyptr, char **i_name, @@ -921,7 +1018,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, char *hash = NULL; enum polymethod pm; #ifdef WITH_SELINUX - security_context_t rawcon = NULL; + char *rawcon = NULL; #endif *i_name = NULL; @@ -1097,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int dfd = AT_FDCWD; int dfd_next; int save_errno; - int flags = O_RDONLY; + int flags = O_RDONLY | O_DIRECTORY; int rv = -1; struct stat st; @@ -1151,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, rv = openat(dfd, dir, flags); } - if (rv != -1) { - if (fstat(rv, &st) != 0) { - save_errno = errno; - close(rv); - rv = -1; - errno = save_errno; - goto error; - } - if (!S_ISDIR(st.st_mode)) { - close(rv); - errno = ENOTDIR; - rv = -1; - goto error; - } - } - if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { @@ -1244,16 +1325,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, struct instance_data *idata, int newdir) { pid_t rc, pid; - struct sigaction newsa, oldsa; int status; const char *init_script = NAMESPACE_INIT_SCRIPT; - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = SIG_DFL; - if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); - return PAM_SESSION_ERR; +#ifdef VENDOR_NAMESPACE_INIT_SCRIPT + /* Check whether NAMESPACE_INIT_SCRIPT file is available. + * If it does not exist, fall back to VENDOR_NAMESPACE_INIT_SCRIPT file. */ + struct stat buffer; + if (stat(init_script, &buffer) != 0 && errno == ENOENT) { + init_script = VENDOR_NAMESPACE_INIT_SCRIPT; } +#endif if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) init_script = polyptr->init_script; @@ -1263,9 +1345,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Namespace init script not executable"); - rc = PAM_SESSION_ERR; - goto out; + return PAM_SESSION_ERR; } else { + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); + return PAM_SESSION_ERR; + } + pid = fork(); if (pid == 0) { static char *envp[] = { NULL }; @@ -1303,13 +1393,13 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, rc = PAM_SESSION_ERR; goto out; } + rc = PAM_SUCCESS; +out: + (void) sigaction(SIGCHLD, &oldsa, NULL); + return rc; } } - rc = PAM_SUCCESS; -out: - (void) sigaction(SIGCHLD, &oldsa, NULL); - - return rc; + return PAM_SUCCESS; } static int create_polydir(struct polydir_s *polyptr, @@ -1318,7 +1408,8 @@ static int create_polydir(struct polydir_s *polyptr, mode_t mode; int rc; #ifdef WITH_SELINUX - security_context_t dircon, oldcon = NULL; + char *dircon_raw, *oldcon_raw = NULL; + struct selabel_handle *label_handle; #endif const char *dir = polyptr->dir; uid_t uid; @@ -1331,21 +1422,28 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - getfscreatecon(&oldcon); - rc = matchpathcon(dir, S_IFDIR, &dircon); - if (rc) { - pam_syslog(idata->pamh, LOG_NOTICE, - "Unable to get default context for directory %s, check your policy: %m", dir); - } else { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Polydir %s context: %s", dir, (char *)dircon); - if (setfscreatecon(dircon) != 0) + getfscreatecon_raw(&oldcon_raw); + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to initialize SELinux labeling handle: %m"); + } else { + rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR); + if (rc) { pam_syslog(idata->pamh, LOG_NOTICE, - "Error setting context for directory %s: %m", dir); - freecon(dircon); - } - matchpathcon_fini(); + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, dircon_raw); + if (setfscreatecon_raw(dircon_raw) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon_raw); + } + selabel_close(label_handle); + } } #endif @@ -1358,10 +1456,10 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - if (setfscreatecon(oldcon) != 0) + if (setfscreatecon_raw(oldcon_raw) != 0) pam_syslog(idata->pamh, LOG_NOTICE, "Error resetting fs create context: %m"); - freecon(oldcon); + freecon(oldcon_raw); } #endif @@ -1413,7 +1511,7 @@ static int create_polydir(struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - security_context_t icontext, security_context_t ocontext, + const char *icontext, const char *ocontext, struct instance_data *idata) #else static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, @@ -1488,6 +1586,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * if (fstat(fd, &newstatbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", ipath); + close(fd); rmdir(ipath); return PAM_SESSION_ERR; } @@ -1530,7 +1629,7 @@ static int ns_setup(struct polydir_s *polyptr, char *instname = NULL; struct stat statbuf; #ifdef WITH_SELINUX - security_context_t instcontext = NULL, origcontext = NULL; + char *instcontext = NULL, *origcontext = NULL; #endif if (idata->flags & PAMNS_DEBUG) @@ -1965,7 +2064,7 @@ static int orig_namespace(struct instance_data *idata) */ static int ctxt_based_inst_needed(void) { - security_context_t scon = NULL; + char *scon = NULL; int rc = 0; rc = getexeccon(&scon); diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 3a1e4ba3..a991b4c4 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -30,7 +30,7 @@ * DEALINGS IN THE SOFTWARE. */ -#if !(defined(linux)) +#ifndef __linux__ #error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -68,6 +68,7 @@ #include <selinux/selinux.h> #include <selinux/get_context_list.h> #include <selinux/context.h> +#include <selinux/label.h> #endif #ifndef CLONE_NEWNS @@ -89,15 +90,17 @@ /* * Module defines */ -#ifndef SECURECONF_DIR -#define SECURECONF_DIR "/etc/security/" +#define PAM_NAMESPACE_CONFIG (SCONFIGDIR "/namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SCONFIGDIR "/namespace.init") +#define NAMESPACE_D_DIR (SCONFIGDIR "/namespace.d/") +#define NAMESPACE_D_GLOB (SCONFIGDIR "/namespace.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_NAMESPACE_INIT_SCRIPT (VENDOR_SCONFIGDIR "/namespace.init") +#define VENDOR_PAM_NAMESPACE_CONFIG (VENDOR_SCONFIGDIR "/namespace.conf") +#define VENDOR_NAMESPACE_D_DIR (VENDOR_SCONFIGDIR "/namespace.d/") +#define VENDOR_NAMESPACE_D_GLOB (VENDOR_SCONFIGDIR "/namespace.d/*.conf") #endif -#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") -#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") -#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") -#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") - /* module flags */ #define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 index 88fbe71f..317cddc8 100644 --- a/modules/pam_namespace/pam_namespace_helper.8 +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE_HELPER" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NAMESPACE_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml index 2f5adbed..002c254a 100644 --- a/modules/pam_namespace/pam_namespace_helper.8.xml +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_namespace_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace_helper"> <refmeta> <refentrytitle>pam_namespace_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_namespace_helper-name"> + <refnamediv xml:id="pam_namespace_helper-name"> <refname>pam_namespace_helper</refname> <refpurpose>Helper binary that creates home directories</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace_helper-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace_helper-cmdsynopsis" sepchar=" "> <command>pam_namespace_helper</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace_helper-description"> + <refsect1 xml:id="pam_namespace_helper-description"> <title>DESCRIPTION</title> @@ -43,7 +40,7 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-see_also'> + <refsect1 xml:id="pam_namespace_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -52,11 +49,11 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-author'> + <refsect1 xml:id="pam_namespace_helper-author"> <title>AUTHOR</title> <para> Written by Topi Miettinen. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file |