What is polyinstantiation?
Most people would expect that two users reading from the same absolute path in the file system tree would get either the same file or an “access denied.” But it does not have to be like this: Linux’s mount namespaces allow you to have many different file system trees. This can be used to create multiple (“poly“) instances of system directories like
/tmp/ for different users. This is done by bind-mounting (look at mount’s
--bind option) different directories to the system directory in a user-specific namespace. The advantage: a user cannot access other users’ files, which protects against certain types of security problems.
pam_namespace.so is used to do this automatically at login.
There are two users in the system (Alice and Bob). Due to separate namespaces, Bob will see the contents of
/tmp-inst/bob/ when looking into
/tmp/, while Alice would see the contents of
/tmp-inst/alice/. If Alice writes private data to
/tmp/secret (bad idea, just an example) and forgets to restrict access rights, Bob won’t be able to see or even read it. As seen from Bob’s namespace, the file is in
/tmp-inst/alice/secret, and he has no access rights there.
Gentoo’s default PAM installation includes the
pam_namespace.so module. The configuration consists of two parts:
- Configure pam_namespace (
- Change the PAM configuration to use the namespace module.
Make sure you know what you’re doing before changing the PAM configuration (see “The Linux-PAM System Administrators’ Guide“)! If you break your login badly enough, you might have to use a live-system (from USB-disk, CD or whatever) to repair it. I always keep a root login open while changing the PAM configuration, so that I can undo my changes if something goes wrong. Concerning the namespace module, reading “Improve security with polyinstantiation” was a good start, but I’d recommend reading the official documentation as well.
I want to polyinstantiate
/tmp/. The user specific instances will be kept in
/tmp-inst/, so my
/etc/security/namespace.conf looks like this:
/tmp /tmp-inst/ user root,adm
user” is the “polyinstantiation method” and will cause polyinstantiation based on user name. If you use SELinux, some other methods are available. The “
root,adm” in the fourth column says that these users should not get polyinstantiated directories. The parent directory for the user-specific instances must exist and have access rights set to
000. To create it like in this example:
# mkdir /tmp-inst/
# chmod 000 /tmp-inst/
The parent directory could have another name or be kept inside the polyinstantiated directory.
pam_namespace.so provides only the
session type. To use it, you’ll have to add a line similar to
session required pam_namespace.so
to the right configuration file. Which file that is depends on your distribution and use case. For me, it is
/etc/pam.d/system-auth. However, with a line exactly like that, I found one problem: Console login as root, everything as expected (the “real”
/tmp/). Login as user worked as well (instance directory). The problem was that the instance directory remained mounted when I used “
su -” from a running user session to become root. I found the solution in the module documentation: The option
unmnt_remnt makes it unmount possibly existing namespaces before setting them up for the new session:
session required pam_namespace.so unmnt_remnt
With this configuration, I get the unmodified file system tree after “
su -“. 🙂 Hint: The options “
debug” and “
ignore_config_error” might be useful for testing. Have fun!