Bug 241226

Summary: Pam Namespace Enhancements.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.99.7.1-6.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-05 07:03:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
And here is the patch none

Description Daniel Walsh 2007-05-24 14:27:11 UTC 
I would like to experiment with a login account that will disappear when the
user logs out.  $HOME /tmp /var/tmp polinstatiated/created at login, then zapped
when the logout.  Do to this I want them to be able to use TMPFS or a file on disk.

 So imagine we have a policy that locks down a xlogin account that allows a user
to run a full X-Session but prevents them from running setuid apps, then when
they log out the account gets cleaned so the next user starts with a clean
slate. This account could work for kiosks, libraries, public terminals.  Or if
someone wants to temporarily use my laptop,  I say sure login as xguest and have
a ball.

Another change would be a way to say only polinstatiate for user X,  So dwalsh
would not polyinstatiate but xguest would.

So a syntax like

$HOME TMPFS user ~xguest 

would tell pam_namespace you want to polyinstatiate the homedirectory for only
the xguest user and you should do this by mounting /dev/shm on /home/xguest

$HOME /home/TMPFS user ~xguest 

Would create a temporary directory under /home and mount ~xguest on it.  This
directory would be removed when xguest logs out.  There is a risk that this
directory would be left around if the machine crashed.  

In both the situations about the /etc/skel directory should be "installed" into
place with the correct context when the directory gets created.  (install
command should create the directory with the correct context.)

The goal here is to allow an untrusted user to use a machine and attempt to
clean up after they log out.
Comment 1 Tomas Mraz 2007-05-31 16:00:59 UTC 
So I have patch implementing this against RHEL-5 pam. I changed the
specification a little bit:

1) polyinstatiation for users xguest,xfriend only:

<dir> <inst-prefix> <method> ~xguest,xfriend

The '~' should be just the first character of the override user list.

2) tmpfs polyinstatiation
<dir> tmpfs tmpfs <override user list>
tmpfs is mounted on <dir>. Instance initialization script is called after the
mount, otherwise it wouldn't be possible to initialize the directory.

3) tmpdir polyinstatiation
<dir> <inst-prefix> tmpdir <override user list>
Temporary directory <inst-prefix>XXXXXX is created using mkdtemp() and
bind-mounted as in normal polyinstatiation. When the session is closed 'rm -rf'
is called on the temporary directory.
Comment 2 Tomas Mraz 2007-05-31 16:02:48 UTC 
Created attachment 155825 [details]
And here is the patch
Comment 3 Daniel Walsh 2007-05-31 18:58:37 UTC 
This is great, although I think you should bring your changes up for discussion
on  the SELInux/LSPP list.  Since these guys developed them.  You might get more
feedback.  I also want the changes in Rawhide so we can do some experimenting
with it there.
Comment 4 Tomas Mraz 2007-06-05 07:03:41 UTC 
Built in rawhide (pam-0.99.7.1-6.fc8)

There were no reactions on Fedora-selinux and LSPP lists to an e-mail I sent
about this topic.
Comment 5 Tomas Mraz 2007-06-05 07:05:48 UTC 
Please test it in rawhide - if the functionality is OK as it is I'll add it to
the pam_namespace documentation and probably release update with it in Fedora 7
as well.