Hi,
i try to use pam_namespace to get the following working:
Each user see its own instance of directory /tws, i have 2 users test1 and test2, for testing the pam_namespace is only activated for ssh logins.
If i try to login via ssh, i directly kicked out and /var/log/secure shows this error, any ideas?
Quote:
Aug 30 21:28:04 el6-namespace sshd[11138]: Accepted password for test1 from 192.168.122.1 port 58904 ssh2
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): open_session - start
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Parsing config file /etc/security/namespace.conf
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Expanded polydir: '/tws'
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Expanded ruser polydir: '/tws'
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Expanded instance prefix: '/home/test1/tws'
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Configured poly dirs:
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): dir='/tws' iprefix='/home/test1/tws' meth=1
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): override user 0
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): override user 3
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Set up namespace for pid 11138
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Checking for ns override in dir /tws for uid 500
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Need poly ns for user 500 for dir /tws
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Checking for ns override in dir /tws for uid 0
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Checking for ns override in dir /tws for uid 500
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Setting poly ns for user 500 for dir /tws
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Set namespace for directory /tws
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): Polydir /tws access error: Permission denied
Aug 30 21:28:04 el6-namespace sshd[11138]: pam_namespace(sshd:session): namespace setup failed for pid 11138
Aug 30 21:28:04 el6-namespace sshd[11138]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Aug 30 21:28:04 el6-namespace sshd[11142]: Received disconnect from 192.168.122.1: 11: disconnected by user
|
Code:
[root@el6-namespace ~]#ls -ld /tws
drwxrwxrwx. 2 root tws 4096 Aug 30 19:33 /tws
[root@el6-namespace ~]#
Code:
[root@el6-namespace ~]# ls -ld /home/test2/tws/
d---------. 2 test2 test2 4096 Aug 30 19:18 /home/test2/tws/
[root@el6-namespace ~]# ls -ld /home/test1/tws/
d---------. 2 test1 test1 4096 Aug 30 19:17 /home/test1/tws/
[root@el6-namespace ~]#
Code:
[root@el6-namespace ~]# cat /etc/security/namespace.conf
# /etc/security/namespace.conf
#
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
# be polyinstantiated based on the MLS level part of the security context as well as user
# name, Polyinstantion will not be performed for user root and adm for directories
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
# will be created in /tmp-inst directory, where as instances of /var/tmp
# and users home directories will reside within the directories that
# are being polyinstantiated.
#
# Instance parent directories must exist for the polyinstantiation
# mechanism to work. By default, they should be created with the mode
# of 000. pam_namespace module will enforce this mode unless it
# is explicitly called with an argument to ignore the mode of the
# instance parent. System administrators should use this argument with
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
#/tmp /tmp-inst/ level root,adm
#/var/tmp /var/tmp/tmp-inst/ level root,adm
#$HOME $HOME/$USER.inst/ level
/tws $HOME/tws user root,adm
Code:
[root@el6-namespace ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session required pam_namespace.so debug unmnt_remnt ignore_instance_parent_mode
regards f0