I would like to experiment with a login account that will disappear when the
user logs out. $HOME /tmp /var/tmp polinstatiated/created at login, then zapped
when the logout. Do to this I want them to be able to use TMPFS or a file on disk.
So imagine we have a policy that locks down a xlogin account that allows a user
to run a full X-Session but prevents them from running setuid apps, then when
they log out the account gets cleaned so the next user starts with a clean
slate. This account could work for kiosks, libraries, public terminals. Or if
someone wants to temporarily use my laptop, I say sure login as xguest and have
Another change would be a way to say only polinstatiate for user X, So dwalsh
would not polyinstatiate but xguest would.
So a syntax like
$HOME TMPFS user ~xguest
would tell pam_namespace you want to polyinstatiate the homedirectory for only
the xguest user and you should do this by mounting /dev/shm on /home/xguest
$HOME /home/TMPFS user ~xguest
Would create a temporary directory under /home and mount ~xguest on it. This
directory would be removed when xguest logs out. There is a risk that this
directory would be left around if the machine crashed.
In both the situations about the /etc/skel directory should be "installed" into
place with the correct context when the directory gets created. (install
command should create the directory with the correct context.)
The goal here is to allow an untrusted user to use a machine and attempt to
clean up after they log out.
So I have patch implementing this against RHEL-5 pam. I changed the
specification a little bit:
1) polyinstatiation for users xguest,xfriend only:
<dir> <inst-prefix> <method> ~xguest,xfriend
The '~' should be just the first character of the override user list.
2) tmpfs polyinstatiation
<dir> tmpfs tmpfs <override user list>
tmpfs is mounted on <dir>. Instance initialization script is called after the
mount, otherwise it wouldn't be possible to initialize the directory.
3) tmpdir polyinstatiation
<dir> <inst-prefix> tmpdir <override user list>
Temporary directory <inst-prefix>XXXXXX is created using mkdtemp() and
bind-mounted as in normal polyinstatiation. When the session is closed 'rm -rf'
is called on the temporary directory.
Created attachment 155825 [details]
And here is the patch
This is great, although I think you should bring your changes up for discussion
on the SELInux/LSPP list. Since these guys developed them. You might get more
feedback. I also want the changes in Rawhide so we can do some experimenting
with it there.
Built in rawhide (pam-0.99.7.1-6.fc8)
There were no reactions on Fedora-selinux and LSPP lists to an e-mail I sent
about this topic.
Please test it in rawhide - if the functionality is OK as it is I'll add it to
the pam_namespace documentation and probably release update with it in Fedora 7