Bug 1861841
| Summary: | The information about GDM and polyinstantiation in the pam_namespace manual page is incorrect and outdated. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Carlos Santos <casantos> |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.2 | CC: | dapospis, dlavu, pbrezina, sgadekar, sgoveas |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | pam-1.3.1-13.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:59:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Carlos Santos
2020-07-29 17:24:27 UTC
* master:
* 491e5500b6b3913f531574208274358a2df88659 - pam_namespace: polyinstantiation refer to gdm doc
Tested with following data:
On pam-1.3.1-11.el8 version:
# man pam_namespace
<snip>
EXAMPLES
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:
/usr/sbin/gdm-safe-restart
This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment,
then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the
initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided
in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
1. Disable the use of font server by commenting out "FontPath"
line in /etc/X11/xorg.conf. If you do want to use the font server
then you will have to augment the instance initialization
script to appropriately provide /tmp/.font-unix from the
polyinstantiated /tmp.
2. Ensure that the gdm service is setup to use pam_namespace,
as described above, by modifying /etc/pam.d/gdm.
3. Ensure that the display manager is configured to restart X server
with each new session. This default setup can be verified by
making sure that /usr/share/gdm/defaults.conf contains
"AlwaysRestartServer=true", and it is not overridden by
/etc/gdm/custom.conf.
</snip>
]# rpm -Uvh
rpm: no packages given for install
[root@ci-vm-10-0-136-122 bz1810474-add-pam_usertype-module]# man pam_namespace
[root@ci-vm-10-0-136-122 bz1810474-add-pam_usertype-module]# rpm -Uvh pam-1.3.1-13.el8.x86_64.rpm
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:pam-1.3.1-13.el8 ################################# [ 50%]
Cleaning up / removing...
2:pam-1.3.1-11.el8 ################################# [100%]
On: pam-1.3.1-13.el8.x86_64
# man pam_namespace
<snip>
EXAMPLES
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
To use polyinstantiation with graphical display manager gdm, please refer to gdm's documentation.
</snip>
Marking verified.
[root@auto-hv-01-guest01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
[root@auto-hv-01-guest01 ~]# rpm -q pam
pam-1.3.1-11.el8.x86_64
[root@auto-hv-01-guest01 ~]# man pam_namespace | awk '/EXAMPLES/,/\/etc\/gdm\/custom.conf/'
EXAMPLES
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:
/usr/sbin/gdm-safe-restart
This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment,
then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the
initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided
in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
1. Disable the use of font server by commenting out "FontPath"
line in /etc/X11/xorg.conf. If you do want to use the font server
then you will have to augment the instance initialization
script to appropriately provide /tmp/.font-unix from the
polyinstantiated /tmp.
2. Ensure that the gdm service is setup to use pam_namespace,
as described above, by modifying /etc/pam.d/gdm.
3. Ensure that the display manager is configured to restart X server
with each new session. This default setup can be verified by
making sure that /usr/share/gdm/defaults.conf contains
"AlwaysRestartServer=true", and it is not overridden by
/etc/gdm/custom.conf.
[root@auto-hv-01-guest01 ~]# yum update pam
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
created by yum config-manager from http://download.eng.bos.redhat.com/rhel-8/nightly/RHEL-8/latest-RHEL-8/compose/BaseOS/x86_64/os 96 kB/s | 2.8 kB 00:00
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Upgrading:
pam x86_64 1.3.1-14.el8 download.eng.bos.redhat.com_rhel-8_nightly_RHEL-8_latest-RHEL-8_compose_BaseOS_x86_64_os 739 k
Transaction Summary
===================================================================================================================================================================================================================
Upgrade 1 Package
Total download size: 739 k
Is this ok [y/N]: y
Downloading Packages:
pam-1.3.1-14.el8.x86_64.rpm 10 MB/s | 739 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 9.9 MB/s | 739 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : pam-1.3.1-14.el8.x86_64 1/2
Running scriptlet: pam-1.3.1-14.el8.x86_64 1/2
Cleanup : pam-1.3.1-11.el8.x86_64 2/2
Running scriptlet: pam-1.3.1-11.el8.x86_64 2/2
Verifying : pam-1.3.1-14.el8.x86_64 1/2
Verifying : pam-1.3.1-11.el8.x86_64 2/2
Installed products updated.
Upgraded:
pam-1.3.1-14.el8.x86_64
Complete!
[root@auto-hv-01-guest01 ~]# man pam_namespace | awk '/EXAMPLES/,/\/etc\/gdm\/custom.conf/'
EXAMPLES
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
To use polyinstantiation with graphical display manager gdm, please refer to gdm's documentation.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pam bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1649 |