Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 156136 Details for
Bug 242578
pam_namespace uses wrong users namespace
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch
pam-0.99.6.2-namespace-wrong-user-ns.patch (text/plain), 13.61 KB, created by
Ted X Toth
on 2007-06-04 21:35:59 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Ted X Toth
Created:
2007-06-04 21:35:59 UTC
Size:
13.61 KB
patch
obsolete
>--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-05-26 13:58:26.000000000 -0500 >+++ Linux-PAM-0.99.6.2.new3/modules/pam_namespace/pam_namespace.c 2007-06-05 01:52:35.000000000 -0500 >@@ -362,7 +362,7 @@ > * Extract the user's home directory to resolve $HOME entries > * in the namespace configuration file. > */ >- cpwd = getpwnam(idata->user); >+ cpwd = pam_modutil_getpwnam(idata->pamh, idata->user); > if (!cpwd) { > pam_syslog(idata->pamh, LOG_ERR, > "Error getting home dir for '%s'", idata->user); >@@ -1124,47 +1124,23 @@ > * cycles through all polyinstantiated directory entries and calls > * ns_setup to setup polyinstantiation for each one of them. > */ >-static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) >+static int setup_namespace(struct instance_data *idata, struct instance_data *rdata, enum unmnt_op unmnt) > { > int retval = 0, need_poly = 0, changing_dir = 0; > char *cptr, *fptr, poly_parent[PATH_MAX]; >- struct polydir_s *pptr; >- uid_t req_uid; >- const void *ruser_name; >- struct passwd *pwd; >+ struct polydir_s *pptr, *rpptr; > > if (idata->flags & PAMNS_DEBUG) > pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", > getpid()); >- >- retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name); >- if (ruser_name == NULL || retval != PAM_SUCCESS) { >- retval = PAM_SUCCESS; >- req_uid = getuid(); >- } else { >- if (ruser_name != NULL && idata->flags & PAMNS_DEBUG) >- pam_syslog(idata->pamh, LOG_DEBUG, >- "PAM_RUSER %s", >- ruser_name); >- pwd = pam_modutil_getpwnam(idata->pamh, ruser_name); >- if (pwd != NULL) { >- if (idata->flags & PAMNS_DEBUG) >- pam_syslog(idata->pamh, LOG_DEBUG, >- "PAM_RUSER uid %d", >- pwd->pw_uid); >- req_uid = pwd->pw_uid; >- } else { >- req_uid = getuid(); >- } >- } >- > /* > * Cycle through all polyinstantiated directory entries to see if > * polyinstantiation is needed at all. > */ >+ rpptr = rdata->polydirs_ptr; > for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { > if (ns_override(pptr, idata, idata->uid)) { >- if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { >+ if (unmnt == NO_UNMNT || (rdata->polydirs_ptr && ns_override(rpptr, rdata, rdata->uid))) { > if (idata->flags & PAMNS_DEBUG) > pam_syslog(idata->pamh, LOG_DEBUG, > "Overriding poly for user %d for dir %s", >@@ -1186,6 +1162,8 @@ > need_poly = 1; > break; > } >+ if (rdata->polydirs_ptr) >+ rpptr = rpptr->next; > } > > /* >@@ -1205,10 +1183,11 @@ > * Again cycle through all polyinstantiated directories, this time, > * call ns_setup to setup polyinstantiation for a particular entry. > */ >+ rpptr = rdata->polydirs_ptr; > for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { > enum unmnt_op dir_unmnt = unmnt; > if (ns_override(pptr, idata, idata->uid)) { >- if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { >+ if (unmnt == NO_UNMNT || (rdata->polydirs_ptr && ns_override(rpptr, rdata, rdata->uid))) { > continue; > } else { > dir_unmnt = UNMNT_ONLY; >@@ -1220,12 +1199,13 @@ > idata->uid, pptr->dir); > > if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) { >+ if (rdata->polydirs_ptr && !ns_override(rpptr, rdata, rdata->uid)) { > /* > * Check to see if process current directory is in the > * bind mounted instance_parent directory that we are trying to > * umount > */ >- if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) { >+ if ((changing_dir = cwd_in(rpptr->dir, rdata)) < 0) { > return PAM_SESSION_ERR; > } else if (changing_dir) { > if (idata->flags & PAMNS_DEBUG) >@@ -1237,7 +1217,7 @@ > * directory where original contents of the polydir > * are available from > */ >- strcpy(poly_parent, pptr->dir); >+ strcpy(poly_parent, rpptr->dir); > fptr = strchr(poly_parent, '/'); > cptr = strrchr(poly_parent, '/'); > if (fptr && cptr && (fptr == cptr)) >@@ -1249,24 +1229,28 @@ > "Can't chdir to %s, %m", poly_parent); > } > } >- >- if (umount(pptr->dir) < 0) { >- int saved_errno = errno; >+ >+ if (umount(rpptr->dir) < 0) { >+ int saved_errno = errno; > if (saved_errno != EINVAL) { >- pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", >- pptr->dir); >+ pam_syslog(idata->pamh, LOG_ERR, >+ "Unmount of %s failed, %m", >+ rpptr->dir); > return PAM_SESSION_ERR; > } > } else if (idata->flags & PAMNS_DEBUG) > pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", >- pptr->dir); >- } >+ rpptr->dir); > >- if (dir_unmnt != UNMNT_ONLY) { >+ } >+ } >+ if (dir_unmnt != UNMNT_ONLY && !ns_override(pptr, idata, idata->uid)) { > retval = ns_setup(pptr, idata); > if (retval != PAM_SUCCESS) > break; > } >+ if (rdata->polydirs_ptr) >+ rpptr = rpptr->next; > } > > return retval; >@@ -1338,6 +1322,58 @@ > } > #endif > >+static int setup_instance_data(struct instance_data *idata, int item_type) >+{ >+ int retval; >+ char *user_name; >+ struct passwd *pwd; >+ >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, "setup_instance_data for pid %d", >+ getpid()); >+ /* >+ * Lookup user and fill struct items >+ */ >+ retval = pam_get_item(idata->pamh, item_type, (void*) &user_name ); >+ if ( user_name == NULL || retval != PAM_SUCCESS ) { >+ pam_syslog(idata->pamh, LOG_ERR, "No pam user name"); >+ idata->user = NULL; >+ return PAMNS_NO_PAM_USER; >+ } >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, "setup_instance_data for user %s", >+ user_name); >+ >+ pwd = pam_modutil_getpwnam(idata->pamh, user_name); >+ if (!pwd) { >+ pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); >+ return PAMNS_UNKNOWN_USER; >+ } >+ >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, "setup_instance_data for uid %d", >+ pwd->pw_uid); >+ /* >+ * Add the user info to the instance data so we can refer to them later. >+ */ >+ idata->user = user_name; >+ idata->uid = pwd->pw_uid; >+ >+ /* >+ * Parse namespace configuration file which lists directories to >+ * polyinstantiate, directory where instance directories are to >+ * be created and the method used for polyinstantiation. >+ */ >+ retval = parse_config_file(idata); >+ if (retval != PAM_SUCCESS) { >+ del_polydir_list(idata->polydirs_ptr); >+ return PAMNS_PARSE_CONFIG_ERROR; >+ } >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, "setup_instance_data for %s returning %d", >+ user_name, retval); >+ return retval; >+} > > /* > * Entry point from pam_open_session call. >@@ -1347,14 +1383,16 @@ > { > int i, retval; > struct instance_data idata; >- char *user_name; >- struct passwd *pwd; >+ struct instance_data rdata; > enum unmnt_op unmnt = NO_UNMNT; > > /* init instance data */ > idata.flags = 0; > idata.polydirs_ptr = NULL; > idata.pamh = pamh; >+ rdata.flags = 0; >+ rdata.polydirs_ptr = NULL; >+ rdata.pamh = pamh; > #ifdef WITH_SELINUX > if (is_selinux_enabled()) > idata.flags |= PAMNS_SELINUX_ENABLED; >@@ -1391,52 +1429,39 @@ > if (idata.flags & PAMNS_DEBUG) > pam_syslog(idata.pamh, LOG_DEBUG, "open_session - start"); > >- /* >- * Lookup user and fill struct items >- */ >- retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); >- if ( user_name == NULL || retval != PAM_SUCCESS ) { >- pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); >- return PAM_SESSION_ERR; >- } >- >- pwd = getpwnam(user_name); >- if (!pwd) { >- pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); >+ retval = setup_instance_data(&idata, PAM_USER); >+ if (retval) > return PAM_SESSION_ERR; >- } >- >- /* >- * Add the user info to the instance data so we can refer to them later. >- */ >- idata.user = user_name; >- idata.uid = pwd->pw_uid; > >+ rdata.flags = idata.flags; > /* >- * Parse namespace configuration file which lists directories to >- * polyinstantiate, directory where instance directories are to >- * be created and the method used for polyinstantiation. >- */ >- retval = parse_config_file(&idata); >- if (retval != PAM_SUCCESS) { >- del_polydir_list(idata.polydirs_ptr); >+ setup pam requesters polyinstantiated directories structure >+ */ >+ retval = setup_instance_data(&rdata, PAM_RUSER); >+ if (retval != PAMNS_NO_PAM_USER && retval != PAM_SUCCESS) { > return PAM_SESSION_ERR; > } > > if (idata.polydirs_ptr) { >- retval = setup_namespace(&idata, unmnt); >- if (idata.flags & PAMNS_DEBUG) { >- if (retval) >- pam_syslog(idata.pamh, LOG_DEBUG, >- "namespace setup failed for pid %d", getpid()); >- else >- pam_syslog(idata.pamh, LOG_DEBUG, >- "namespace setup ok for pid %d", getpid()); >- } >- } else if (idata.flags & PAMNS_DEBUG) >+ retval = setup_namespace(&idata, &rdata, unmnt); >+ } else if (idata.flags & PAMNS_DEBUG) { >+ // How about if the requester mounts need to be undone????? > pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate"); >+ return PAM_SUCCESS; >+ } >+ >+ if (rdata.polydirs_ptr) >+ del_polydir_list(rdata.polydirs_ptr); > > del_polydir_list(idata.polydirs_ptr); >+ if (idata.flags & PAMNS_DEBUG) { >+ if (retval) >+ pam_syslog(idata.pamh, LOG_DEBUG, >+ "namespace setup failed for pid %d", getpid()); >+ else >+ pam_syslog(idata.pamh, LOG_DEBUG, >+ "namespace setup ok for pid %d", getpid()); >+ } > return retval; > } > >@@ -1449,13 +1474,16 @@ > { > int i, retval; > struct instance_data idata; >- char *user_name; >- struct passwd *pwd; >+ struct instance_data rdata; >+ enum unmnt_op unmnt = NO_UNMNT; > > /* init instance data */ > idata.flags = 0; > idata.polydirs_ptr = NULL; > idata.pamh = pamh; >+ rdata.flags = 0; >+ rdata.polydirs_ptr = NULL; >+ rdata.pamh = pamh; > #ifdef WITH_SELINUX > if (is_selinux_enabled()) > idata.flags |= PAMNS_SELINUX_ENABLED; >@@ -1465,13 +1493,16 @@ > > /* Parse arguments. */ > for (i = 0; i < argc; i++) { >- if (strcmp(argv[i], "debug") == 0) >+ if (strcmp(argv[i], "debug") == 0) > idata.flags |= PAMNS_DEBUG; > if (strcmp(argv[i], "ignore_config_error") == 0) > idata.flags |= PAMNS_IGN_CONFIG_ERR; > if (strcmp(argv[i], "no_unmount_on_close") == 0) > idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; >+ if (strcmp(argv[i], "unmnt_remnt") == 0) >+ unmnt = UNMNT_REMNT; > } >+ rdata.flags = idata.flags; > > if (idata.flags & PAMNS_DEBUG) > pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); >@@ -1487,41 +1518,13 @@ > * argument. > */ > if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { >- pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); >+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - successful"); > return PAM_SUCCESS; > } > >- /* >- * Lookup user and fill struct items >- */ >- retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); >- if ( user_name == NULL || retval != PAM_SUCCESS ) { >- pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); >- return PAM_SESSION_ERR; >- } >- >- pwd = getpwnam(user_name); >- if (!pwd) { >- pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); >- return PAM_SESSION_ERR; >- } >- >- /* >- * Add the user info to the instance data so we can refer to them later. >- */ >- idata.user = user_name; >- idata.uid = pwd->pw_uid; >- >- /* >- * Parse namespace configuration file which lists directories that >- * are polyinstantiated, directories where instance directories are >- * created and the method used for polyinstantiation. >- */ >- retval = parse_config_file(&idata); >- if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) { >- del_polydir_list(idata.polydirs_ptr); >- return PAM_SESSION_ERR; >- } >+ retval = setup_instance_data(&idata, PAM_USER); >+ if (retval) >+ return retval; > > if (idata.flags & PAMNS_DEBUG) > pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", >--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-05-26 13:58:26.000000000 -0500 >+++ Linux-PAM-0.99.6.2.new3/modules/pam_namespace/pam_namespace.h 2007-06-05 01:46:08.000000000 -0500 >@@ -64,6 +64,7 @@ > #ifdef WITH_SELINUX > #include <selinux/selinux.h> > #include <selinux/context.h> >+#include <selinux/get_context_list.h> > #endif > > #ifndef CLONE_NEWNS >@@ -91,6 +92,10 @@ > #define PAMNS_USER_DEFAULT_CONTEXT_FALLBACK 0x00020000 /* if getexeccon fails use user default context */ > #define PAMNS_SU_GETCON 0x00040000 /* if called from 'su' use getcon for context */ > >+#define PAMNS_NO_PAM_USER 1 >+#define PAMNS_UNKNOWN_USER 2 >+#define PAMNS_PARSE_CONFIG_ERROR 3 >+ > #define NAMESPACE_MAX_DIR_LEN 80 > > /*
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=156136">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 242578
: 156136 |
156137