tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Page: PAM Namespace
Pages
APT WhatProvides Apache wpadmin Arch Default Kernel Arch Kernel Order Bash Add fd Bash Dump History Bash Trim Whitespace CPU Stats CSS Reset DB2 Info Debian Upgrade Dell OpenManage Diff Lines Favicon Things Find Examples Forgejo Syntax Highlight Git Combine Repos Git Multi SSH Git Quickstart Git Rewrite User GitLab Anchors Gitea Mirror Glibc IPv4 GnuPG Things Home IMAP Sync IPv4 Default Gateway IPv4 Default IP KRB5 Empty Keytab Kernel Boot Debug Kernel Decompress LICENSE LUKS Encrypted Partitions Linux Valid Usernames Loopback FS MP3 Get Tags MX Tarpit Makefile Template Markdown Samples Mount OVA Mount qcow2 MySQL Connections NFS 10G Tuning Netcat Replacements PAM Namespace Postfix Headers Proxmox Doodads RPM Info Radeon Temperature Recover Deleted ext3 Recursive Unzip Roku Info SSH RSA Support SSL Certgen Samba OSX Server Notes Smem Datamash Split Disk TCP Kill Thunderbird LDAP AD Weechat Quickstart YTM to Textbox YUM Disablerepos systemd PID1 uBlock Filters udev Hide Partitions
2 PAM Namespace
tengel edited this page 2024-09-05 08:27:27 -05:00
Table of Contents

Overview

The pam_namespace.so module is typically included by the system PAM packages already, no need to install an extra package.

This example is on Ubuntu 20 LTS, if SElinux is required see the addtional options:

Mission: create a virtual top-level directory for all users logging in, which is actually a subdirectory in their $HOME space.

Steps

As root

Make the virtual directory mount point:

# mkdir /vdir

Create a config for mounting the namespace, this will add the username onto the end of the directory; for example /home/fred/vdirfred - the idea is that the second field does not have to be $HOME, it could be another directory like /srv/vdirusers such that each subdir gets a unique name dynamically like /srv/vdirusers/vdirfrank - see the man pages.

# vi /etc/security/namespace.conf

/vdir  $HOME/vdir  user:iscript=userperms.sh

Create the above mentioned script to have the user own the new directory created the first time they log in (by default it's root:root so users cannot write to it):

# vi /etc/security/namespace.d/userperms.sh

== cut here ==
#!/bin/sh
# polydir path as $1, the instance path as $2,
# instance dir was newly created (0 - no, 1 - yes) in $3
# user name in $4
if [ "$3" = 1 ]; then
  user="$4"
  inst="$2"
  passwd=$(getent passwd "$user")
  gid=$(echo "$passwd" | cut -f4 -d":")
  chown -R "$user":"$gid" "$inst"
fi
exit 0
== cut here ==

# chmod +x /etc/security/namespace.d/userperms.sh

Activate the new configuration - note that this edits PAM, the rule of thumb is to never log out as root until you've verified it's working by logging in with other terminals as other users.

IF YOU BREAK PAM, YOU LOCK EVERYONE OUT - INCLUDING root

# vi /etc/pam.d/common-session

session  required  pam_namespace.so  ignore_instance_parent_mode

As user

Log in as the user and test:

$ ssh fred@server

server$ touch vdirfred/foo
server$ ls /vdir
foo

server$ touch /vdir/bar
server$ ls vdirfred/
bar  foo

As root

As root, /vdir should remain empty (no user created files) as it's a virtual mount point:

# ls /vdir
#

Index

  • SPDX-License-Identifier: CC-BY-SA-4.0
  • SPDX-License-Identifier: MIT