tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

adding PAM Namespace

tengel 2024-03-20 11:55:04 -05:00
parent c473745dd3
commit d2c7202973
2 changed files with 88 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

87
PAM-Namespace.md Normal file

@ -0,0 +1,87 @@
## Overview
The `pam_namespace.so` module is typically included by the system PAM packages already, no need to install an extra package.
This example is on Ubuntu 20 LTS, if SElinux is required see the addtional options:
- https://linux.die.net/man/8/pam\_namespace
- https://linux.die.net/man/5/namespace.conf
Mission: create a virtual top-level directory for all users logging in, which is actually a subdirectory in their `$HOME` space.
## Steps
### As root
Make the virtual directory mount point:
```
# mkdir /vdir
```
Create a config for mounting the namespace, this will add the username onto the end of the directory; for example `/home/fred/vdirfred` - the idea is that the second field does _not_ have to be `$HOME`, it could be another directory like `/srv/vdirusers` such that each subdir gets a unique name dynamically like `/srv/vdirusers/vdirfrank` - see the man pages.
```
# vi /etc/security/namespace.conf
/vdir $HOME/vdir user:iscript=userperms.sh
```
Create the above mentioned script to have the user own the new directory created the first time they log in (by default it's `root:root` so users cannot write to it):
```
# vi /etc/security/namespace.d/userperms.sh
== cut here ==
#!/bin/sh
# polydir path as $1, the instance path as $2,
# instance dir was newly created (0 - no, 1 - yes) in $3
# user name in $4
if [ "$3" = 1 ]; then
user="$4"
inst="$2"
passwd=$(getent passwd "$user")
gid=$(echo "$passwd" | cut -f4 -d":")
chown -R "$user":"$gid" "$inst"
fi
exit 0
== cut here ==
# chmod +x /etc/security/namespace.d/userperms.sh
```
Activate the new configuration - note that this edits PAM, the rule of thumb is to never log out as root until you've verified it's working by logging in with other terminals as other users.
**IF YOU BREAK PAM, YOU LOCK EVERYONE OUT - INCLUDING `root`**
```
# vi /etc/pam.d/common-session
session required pam_namespace.so ignore_instance_parent_mode
```
### As user
Log in as the user and test:
```
$ ssh fred@server
server$ touch vdirfred/foo
server$ ls /vdir
foo
server$ touch /vdir/bar
server$ ls vdirfred/
bar foo
```
### As root
As root, `/vdir` should remain empty (no user created files) as it's a virtual mount point:
```
# ls /vdir
#
```

1
_Sidebar.md

@ -40,6 +40,7 @@
- [[MySQL Connections]] - [[MySQL Connections]]
- [[NFS 10G Tuning]] - [[NFS 10G Tuning]]
- [[Netcat Replacements]] - [[Netcat Replacements]]
- [[PAM Namespace]]
- [[Proxmox Doodads]] - [[Proxmox Doodads]]
- [[RPM Info]] - [[RPM Info]]
- [[Radeon Temperature]] - [[Radeon Temperature]]