From d2c720297332e86061e8137aa27b20f96b1c1375 Mon Sep 17 00:00:00 2001 From: tengel Date: Wed, 20 Mar 2024 11:55:04 -0500 Subject: [PATCH] adding PAM Namespace --- PAM-Namespace.md | 87 ++++++++++++++++++++++++++++++++++++++++++++++++ _Sidebar.md | 1 + 2 files changed, 88 insertions(+) create mode 100644 PAM-Namespace.md diff --git a/PAM-Namespace.md b/PAM-Namespace.md new file mode 100644 index 0000000..a278264 --- /dev/null +++ b/PAM-Namespace.md @@ -0,0 +1,87 @@ +## Overview + +The `pam_namespace.so` module is typically included by the system PAM packages already, no need to install an extra package. + +This example is on Ubuntu 20 LTS, if SElinux is required see the addtional options: + + - https://linux.die.net/man/8/pam\_namespace + - https://linux.die.net/man/5/namespace.conf + +Mission: create a virtual top-level directory for all users logging in, which is actually a subdirectory in their `$HOME` space. + +## Steps + +### As root + +Make the virtual directory mount point: + +``` +# mkdir /vdir +``` + +Create a config for mounting the namespace, this will add the username onto the end of the directory; for example `/home/fred/vdirfred` - the idea is that the second field does _not_ have to be `$HOME`, it could be another directory like `/srv/vdirusers` such that each subdir gets a unique name dynamically like `/srv/vdirusers/vdirfrank` - see the man pages. + +``` +# vi /etc/security/namespace.conf + +/vdir $HOME/vdir user:iscript=userperms.sh +``` + +Create the above mentioned script to have the user own the new directory created the first time they log in (by default it's `root:root` so users cannot write to it): + +``` +# vi /etc/security/namespace.d/userperms.sh + +== cut here == +#!/bin/sh +# polydir path as $1, the instance path as $2, +# instance dir was newly created (0 - no, 1 - yes) in $3 +# user name in $4 +if [ "$3" = 1 ]; then + user="$4" + inst="$2" + passwd=$(getent passwd "$user") + gid=$(echo "$passwd" | cut -f4 -d":") + chown -R "$user":"$gid" "$inst" +fi +exit 0 +== cut here == + +# chmod +x /etc/security/namespace.d/userperms.sh +``` + +Activate the new configuration - note that this edits PAM, the rule of thumb is to never log out as root until you've verified it's working by logging in with other terminals as other users. + +**IF YOU BREAK PAM, YOU LOCK EVERYONE OUT - INCLUDING `root`** + +``` +# vi /etc/pam.d/common-session + +session required pam_namespace.so ignore_instance_parent_mode +``` + +### As user + +Log in as the user and test: + +``` +$ ssh fred@server + +server$ touch vdirfred/foo +server$ ls /vdir +foo + +server$ touch /vdir/bar +server$ ls vdirfred/ +bar foo +``` + +### As root + +As root, `/vdir` should remain empty (no user created files) as it's a virtual mount point: + +``` +# ls /vdir +# +``` + diff --git a/_Sidebar.md b/_Sidebar.md index c9b6562..253e942 100644 --- a/_Sidebar.md +++ b/_Sidebar.md @@ -40,6 +40,7 @@ - [[MySQL Connections]] - [[NFS 10G Tuning]] - [[Netcat Replacements]] +- [[PAM Namespace]] - [[Proxmox Doodads]] - [[RPM Info]] - [[Radeon Temperature]]