1PAM_NAMESPACE(8) Linux-PAM Manual PAM_NAMESPACE(8)
2
6 pam_namespace - PAM module for configuring namespace for a session
7
9 pam_namespace.so [debug] [unmnt_remnt] [unmnt_only] [require_selinux]
10 [gen_hash] [ignore_config_error]
11 [ignore_instance_parent_mode] [no_unmount_on_close]
12
14 The pam_namespace PAM module sets up a private namespace for a session
15 with polyinstantiated directories. A polyinstantiated directory
16 provides a different instance of itself based on user name, or when
17 using SELinux, user name, security context or both. If an executable
18 script /etc/security/namespace.init exists, it is used to initialize
19 the namespace every time a new instance directory is setup. The script
20 receives the polyinstantiated directory path and the instance directory
21 path as its arguments.
22 The pam_namespace module disassociates the session namespace from the
24 parent namespace. Any mounts/unmounts performed in the parent
25 namespace, such as mounting of devices, are not reflected in the
26 session namespace. To propagate selected mount/unmount events from the
27 parent namespace into the disassociated session namespace, an
28 administrator may use the special shared-subtree feature. For
29 additional information on shared-subtree feature, please refer to the
30 mount(8) man page and the shared-subtree description at
31 http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
32
34 debug
35 A lot of debug information is logged using syslog
36 unmnt_remnt
38 For programs such as su and newrole, the login session has already
39 setup a polyinstantiated namespace. For these programs,
40 polyinstantiation is performed based on new user id or security
41 context, however the command first needs to undo the
42 polyinstantiation performed by login. This argument instructs the
43 command to first undo previous polyinstantiation before proceeding
44 with new polyinstantiation based on new id/context
45 unmnt_only
47 For trusted programs that want to undo any existing bind mounts and
48 process instance directories on their own, this argument allows
49 them to unmount currently mounted instance directories
50 require_selinux
52 If selinux is not enabled, return failure
53 gen_hash
55 Instead of using the security context string for the instance name,
56 generate and use its md5 hash.
57 ignore_config_error
59 If a line in the configuration file corresponding to a
60 polyinstantiated directory contains format error, skip that line
61 process the next line. Without this option, pam will return an
62 error to the calling program resulting in termination of the
63 session.
64 ignore_instance_parent_mode
66 Instance parent directories by default are expected to have the
67 restrictive mode of 000. Using this option, an administrator can
68 choose to ignore the mode of the instance parent. This option
69 should be used with caution as it will reduce security and
70 isolation goals of the polyinstantiation mechanism.
71 no_unmount_on_close
73 For certain trusted programs such as newrole, open session is
74 called from a child process while the parent perfoms close session
75 and pam end functions. For these commands use this option to
76 instruct pam_close_session to not unmount the bind mounted
77 polyinstantiated directory in the parent.
78
80 The session service is supported.
81
83 PAM_SUCCESS
84 Namespace setup was successful.
85 PAM_SERVICE_ERR
87 Unexpected system error occurred while setting up namespace.
88 PAM_SESSION_ERR
90 Unexpected namespace configuration error occurred.
91
93 /etc/security/namespace.conf
94 Configuration file
95
97 For the <service>s you need polyinstantiation (login for example) put
98 the following line in /etc/pam.d/<service> as the last line for session
99 group:
100 session required pam_namespace.so [arguments]
102 To use polyinstantiation with graphical display manager gdm, insert the
104 following line, before exit 0, in /etc/gdm/PostSession/Default:
105 /usr/sbin/gdm-safe-restart
107 This allows gdm to restart after each session and appropriately adjust
109 namespaces of display manager and the X server. If polyinstantiation of
110 /tmp is desired along with the graphical environment, then additional
111 configuration changes are needed to address the interaction of X server
112 and font server namespaces with their use of /tmp to create
113 communication sockets. Please use the initialization script
114 /etc/security/namespace.init to ensure that the X server and its
115 clients can appropriately access the communication socket X0. Please
116 refer to the sample instructions provided in the comment section of the
117 instance initialization script /etc/security/namespace.init. In
118 addition, perform the following changes to use graphical environment
119 with polyinstantiation of /tmp:
120 1. Disable the use of font server by commenting out "FontPath"
122 line in /etc/X11/xorg.conf. If you do want to use the font server
123 then you will have to augment the instance initialization
124 script to appropriately provide /tmp/.font-unix from the
125 polyinstantiated /tmp.
126 2. Ensure that the gdm service is setup to use pam_namespace,
127 as described above, by modifying /etc/pam.d/gdm.
128 3. Ensure that the display manager is configured to restart X server
129 with each new session. This default setup can be verified by
130 making sure that /usr/share/gdm/defaults.conf contains
131 "AlwaysRestartServer=true", and it is not overridden by
132 /etc/gdm/custom.conf.
133
137 namespace.conf(5), pam.d(8), mount(8), pam(8).
138
140 The namespace setup scheme was designed by Stephen Smalley, Janak Desai
141 and Chad Sellers. The pam_namespace PAM module was developed by Janak
142 Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve
143 Grubb <sgrubb@redhat.com>.
144Linux-PAM Manual 11/28/2007 PAM_NAMESPACE(8)