Description of problem: The current implementation neglects to recognize that the pam requesting user (PAM_RUSER) and the authenticating user (PAM_USER) can have different namespaces by virtue of the use of $HOME or $USER in the namespace.conf file. This oversight can among other things cause pam_namespace to attempt to unmount directories that don't exist and weren't intended to be polyinstantiated. When the unmount fails so does authentication. Version-Release number of selected component (if applicable): How reproducible: Configure a user directories to be polyinstantiated using $HOME something like $HOME/foo but override for user root. You will need the patch submitted for bug 237163 for this to work. Don't forget to create the instance directory in the test users home directory ($HOME/foo.inst). Configure login and su to use pam_namespace. Also use the debug option. For su use the unmnt_remnt option as per the man page. Login in as a user and then try and su to root. In /var/log/secure you should see a message to the effect that umount failed because /root/foo doesn't exist and the su will fail. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 156136 [details] patch
Created attachment 156137 [details] patch Sorry the previous patch was bad.
This bug is fixed in Linux-PAM-1.0 which will be included in the next release of Red Hat Enterprise Linux.