Bug 241226 - Pam Namespace Enhancements.
Pam Namespace Enhancements.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-24 10:27 EDT by Daniel Walsh
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: pam-0.99.7.1-6.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-05 03:03:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
And here is the patch (12.81 KB, patch)
2007-05-31 12:02 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Daniel Walsh 2007-05-24 10:27:11 EDT
I would like to experiment with a login account that will disappear when the
user logs out.  $HOME /tmp /var/tmp polinstatiated/created at login, then zapped
when the logout.  Do to this I want them to be able to use TMPFS or a file on disk.

 So imagine we have a policy that locks down a xlogin account that allows a user
to run a full X-Session but prevents them from running setuid apps, then when
they log out the account gets cleaned so the next user starts with a clean
slate. This account could work for kiosks, libraries, public terminals.  Or if
someone wants to temporarily use my laptop,  I say sure login as xguest and have
a ball.

Another change would be a way to say only polinstatiate for user X,  So dwalsh
would not polyinstatiate but xguest would.

So a syntax like

$HOME TMPFS user ~xguest 

would tell pam_namespace you want to polyinstatiate the homedirectory for only
the xguest user and you should do this by mounting /dev/shm on /home/xguest

$HOME /home/TMPFS user ~xguest 

Would create a temporary directory under /home and mount ~xguest on it.  This
directory would be removed when xguest logs out.  There is a risk that this
directory would be left around if the machine crashed.  

In both the situations about the /etc/skel directory should be "installed" into
place with the correct context when the directory gets created.  (install
command should create the directory with the correct context.)

The goal here is to allow an untrusted user to use a machine and attempt to
clean up after they log out.
Comment 1 Tomas Mraz 2007-05-31 12:00:59 EDT
So I have patch implementing this against RHEL-5 pam. I changed the
specification a little bit:

1) polyinstatiation for users xguest,xfriend only:

<dir> <inst-prefix> <method> ~xguest,xfriend

The '~' should be just the first character of the override user list.

2) tmpfs polyinstatiation
<dir> tmpfs tmpfs <override user list>
tmpfs is mounted on <dir>. Instance initialization script is called after the
mount, otherwise it wouldn't be possible to initialize the directory.

3) tmpdir polyinstatiation
<dir> <inst-prefix> tmpdir <override user list>
Temporary directory <inst-prefix>XXXXXX is created using mkdtemp() and
bind-mounted as in normal polyinstatiation. When the session is closed 'rm -rf'
is called on the temporary directory.
Comment 2 Tomas Mraz 2007-05-31 12:02:48 EDT
Created attachment 155825 [details]
And here is the patch
Comment 3 Daniel Walsh 2007-05-31 14:58:37 EDT
This is great, although I think you should bring your changes up for discussion
on  the SELInux/LSPP list.  Since these guys developed them.  You might get more
feedback.  I also want the changes in Rawhide so we can do some experimenting
with it there.
Comment 4 Tomas Mraz 2007-06-05 03:03:41 EDT
Built in rawhide (pam-0.99.7.1-6.fc8)

There were no reactions on Fedora-selinux and LSPP lists to an e-mail I sent
about this topic.
Comment 5 Tomas Mraz 2007-06-05 03:05:48 EDT
Please test it in rawhide - if the functionality is OK as it is I'll add it to
the pam_namespace documentation and probably release update with it in Fedora 7
as well.

Note You need to log in before you can comment on or make changes to this bug.