Red Hat Bugzilla – Bug 242578
pam_namespace uses wrong users namespace
Last modified: 2008-04-04 10:16:31 EDT
Description of problem:
The current implementation neglects to recognize that the pam requesting user
(PAM_RUSER) and the authenticating user (PAM_USER) can have different namespaces
by virtue of the use of $HOME or $USER in the namespace.conf file. This
oversight can among other things cause pam_namespace to attempt to unmount
directories that don't exist and weren't intended to be polyinstantiated. When
the unmount fails so does authentication.
Version-Release number of selected component (if applicable):
Configure a user directories to be polyinstantiated using $HOME something like
$HOME/foo but override for user root. You will need the patch submitted for bug
237163 for this to work. Don't forget to create the instance directory in the
test users home directory ($HOME/foo.inst). Configure login and su to use
pam_namespace. Also use the debug option. For su use the unmnt_remnt option as
per the man page. Login in as a user and then try and su to root. In
/var/log/secure you should see a message to the effect that umount failed
because /root/foo doesn't exist and the su will fail.
Steps to Reproduce:
Created attachment 156136 [details]
Created attachment 156137 [details]
Sorry the previous patch was bad.
This bug is fixed in Linux-PAM-1.0 which will be included in the next release of
Red Hat Enterprise Linux.