adding PAM Namespace
parent
c473745dd3
commit
d2c7202973
2 changed files with 88 additions and 0 deletions
87
PAM-Namespace.md
Normal file
87
PAM-Namespace.md
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
## Overview
|
||||
|
||||
The `pam_namespace.so` module is typically included by the system PAM packages already, no need to install an extra package.
|
||||
|
||||
This example is on Ubuntu 20 LTS, if SElinux is required see the addtional options:
|
||||
|
||||
- https://linux.die.net/man/8/pam\_namespace
|
||||
- https://linux.die.net/man/5/namespace.conf
|
||||
|
||||
Mission: create a virtual top-level directory for all users logging in, which is actually a subdirectory in their `$HOME` space.
|
||||
|
||||
## Steps
|
||||
|
||||
### As root
|
||||
|
||||
Make the virtual directory mount point:
|
||||
|
||||
```
|
||||
# mkdir /vdir
|
||||
```
|
||||
|
||||
Create a config for mounting the namespace, this will add the username onto the end of the directory; for example `/home/fred/vdirfred` - the idea is that the second field does _not_ have to be `$HOME`, it could be another directory like `/srv/vdirusers` such that each subdir gets a unique name dynamically like `/srv/vdirusers/vdirfrank` - see the man pages.
|
||||
|
||||
```
|
||||
# vi /etc/security/namespace.conf
|
||||
|
||||
/vdir $HOME/vdir user:iscript=userperms.sh
|
||||
```
|
||||
|
||||
Create the above mentioned script to have the user own the new directory created the first time they log in (by default it's `root:root` so users cannot write to it):
|
||||
|
||||
```
|
||||
# vi /etc/security/namespace.d/userperms.sh
|
||||
|
||||
== cut here ==
|
||||
#!/bin/sh
|
||||
# polydir path as $1, the instance path as $2,
|
||||
# instance dir was newly created (0 - no, 1 - yes) in $3
|
||||
# user name in $4
|
||||
if [ "$3" = 1 ]; then
|
||||
user="$4"
|
||||
inst="$2"
|
||||
passwd=$(getent passwd "$user")
|
||||
gid=$(echo "$passwd" | cut -f4 -d":")
|
||||
chown -R "$user":"$gid" "$inst"
|
||||
fi
|
||||
exit 0
|
||||
== cut here ==
|
||||
|
||||
# chmod +x /etc/security/namespace.d/userperms.sh
|
||||
```
|
||||
|
||||
Activate the new configuration - note that this edits PAM, the rule of thumb is to never log out as root until you've verified it's working by logging in with other terminals as other users.
|
||||
|
||||
**IF YOU BREAK PAM, YOU LOCK EVERYONE OUT - INCLUDING `root`**
|
||||
|
||||
```
|
||||
# vi /etc/pam.d/common-session
|
||||
|
||||
session required pam_namespace.so ignore_instance_parent_mode
|
||||
```
|
||||
|
||||
### As user
|
||||
|
||||
Log in as the user and test:
|
||||
|
||||
```
|
||||
$ ssh fred@server
|
||||
|
||||
server$ touch vdirfred/foo
|
||||
server$ ls /vdir
|
||||
foo
|
||||
|
||||
server$ touch /vdir/bar
|
||||
server$ ls vdirfred/
|
||||
bar foo
|
||||
```
|
||||
|
||||
### As root
|
||||
|
||||
As root, `/vdir` should remain empty (no user created files) as it's a virtual mount point:
|
||||
|
||||
```
|
||||
# ls /vdir
|
||||
#
|
||||
```
|
||||
|
||||
|
|
@ -40,6 +40,7 @@
|
|||
- [[MySQL Connections]]
|
||||
- [[NFS 10G Tuning]]
|
||||
- [[Netcat Replacements]]
|
||||
- [[PAM Namespace]]
|
||||
- [[Proxmox Doodads]]
|
||||
- [[RPM Info]]
|
||||
- [[Radeon Temperature]]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue