From 59812d1cf1127a1af65b530addff76be767092b1 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Fri, 10 May 2019 22:11:40 +0300
Subject: pam_namespace: secure tmp-inst directories

When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.

Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.

Closes #111.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 modules/pam_namespace/pam_namespace.service.in | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 modules/pam_namespace/pam_namespace.service.in

(limited to 'modules/pam_namespace/pam_namespace.service.in')

diff --git a/modules/pam_namespace/pam_namespace.service.in b/modules/pam_namespace/pam_namespace.service.in
new file mode 100644
index 00000000..e2311917
--- /dev/null
+++ b/modules/pam_namespace/pam_namespace.service.in
@@ -0,0 +1,11 @@
+[Unit]
+After=local-fs.target
+Before=multi-user.target shutdown.target
+Conflicts=shutdown.target
+DefaultDependencies=no
+Description=Make sure parent directories configured in @SCONFIGDIR@/namespace.conf for polyinstantiation exist
+Documentation=man:pam_namespace(8)
+
+[Service]
+ExecStart=@sbindir@/pam_namespace_helper
+Type=oneshot
-- 
cgit v1.2.3