Bug 1125110
| Summary: | pam_namespace usage is not consistent across system-wide PAM configuration | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | (GalaxyMaster) <gm.outside+redhat> | |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> | |
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.2 | CC: | jjelen, ksrot, plautrba, tmraz | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openssh-6.6.1p1-13.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1250069 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 08:02:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
(GalaxyMaster)
2014-07-31 04:43:45 UTC
It is also worth to mention that pam_namespace's documentation is poor. For example, instead of asking the user to create the instance parent directory and chmod'ing it to 0, /etc/security/namespace.conf could be tweaked to use 'level:create=0,root,root' instead of just 'level' -- this way pam_namespace would take care of creating the instance parent directory itself. This would have to be reported against all the packages that ship the pam configuration without the pam_namespace. Reassigning to openssh, but it should be reported also against the other packages that miss pam_namespace call. Actually it could have been fixed in the pam package (e.g. by moving pam_namespace into system-auth - this would have enabled pam_namespace for everything). However, this could break su (if it's a SELinux enabled system), so a fix for su would have been required too. Personally, I'd go this route since it's more systematic. After discussion with Tomas it seems reasonable to add this module into pam.d in this way and use for rhel-7.2.
But it doesn't change the thing that your configuration is wrong. If I try your proposed reproducer, I'm running into
> pam_namespace(sshd:session): Error creating or accessing instance parent , No such file or directory
You need at least specify slash after /tmp/
--- /etc/pam.d/sshd.orig 2015-03-31 13:40:35.333000000 +0200
+++ /etc/pam.d/sshd 2015-03-31 13:41:08.020000000 +0200
@@ -10,6 +10,7 @@
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
+session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
Well, after reviewing the reproduction steps and trying it on a VM I found the following error in step 1: 1. echo "/tmp /tmp-inst level root,adm" /etc/security/namespace.d/local.conf this line meant to be: 1. echo "/tmp /tmp-inst/ level root,adm" > /etc/security/namespace.d/local.conf So, the ending slash should have been put _after_ instance parent directory (the error message from pam_namespace is a bit cryptic, but what pam_namespace is doing behind the scenes is concatenating the parent directory with the computed user name and level to form a directory it is going to mount). Another bug was that somehow the redirection character was lost when I submitted the original request. I've just double checked that the reproducer works with the above adjustments. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2088.html |