Posted by: Airtower | 2010-06-26

Trying out pam_namespace

I stumbled upon this post, and I remembered that I wanted to try using pam_namespace since I read about it on Flameeyes’ blog. So today, I actually did.

What is polyinstantiation?

Most people would expect that two users reading from the same absolute path in the file system tree would get either the same file or an “access denied.” But it does not have to be like this: Linux’s mount namespaces allow you to have many different file system trees. This can be used to create multiple (“poly“) instances of system directories like /tmp/ for different users. This is done by bind-mounting (look at mount’s --bind option) different directories to the system directory in a user-specific namespace. The advantage: a user cannot access other users’ files, which protects against certain types of security problems. pam_namespace.so is used to do this automatically at login.

Example

There are two users in the system (Alice and Bob). Due to separate namespaces, Bob will see the contents of /tmp-inst/bob/ when looking into /tmp/, while Alice would see the contents of /tmp-inst/alice/. If Alice writes private data to /tmp/secret (bad idea, just an example) and forgets to restrict access rights, Bob won’t be able to see or even read it. As seen from Bob’s namespace, the file is in /tmp-inst/alice/secret, and he has no access rights there.

Prerequisites

Gentoo’s default PAM installation includes the pam_namespace.so module. The configuration consists of two parts:

  1. Configure pam_namespace (/etc/security/namespace.conf).
  2. Change the PAM configuration to use the namespace module.

Make sure you know what you’re doing before changing the PAM configuration (see “The Linux-PAM System Administrators’ Guide“)! If you break your login badly enough, you might have to use a live-system (from USB-disk, CD or whatever) to repair it. I always keep a root login open while changing the PAM configuration, so that I can undo my changes if something goes wrong. Concerning the namespace module, reading “Improve security with polyinstantiation” was a good start, but I’d recommend reading the official documentation as well.

Namespace setup

I want to polyinstantiate /tmp/. The user specific instances will be kept in /tmp-inst/, so my /etc/security/namespace.conf looks like this:

/tmp    /tmp-inst/              user    root,adm

user” is the “polyinstantiation method” and will cause polyinstantiation based on user name. If you use SELinux, some other methods are available. The “root,adm” in the fourth column says that these users should not get polyinstantiated directories. The parent directory for the user-specific instances must exist and have access rights set to 000. To create it like in this example:

# mkdir /tmp-inst/
# chmod 000 /tmp-inst/

The parent directory could have another name or be kept inside the polyinstantiated directory.

PAM config

pam_namespace.so provides only the session type. To use it, you’ll have to add a line similar to

session         required        pam_namespace.so

to the right configuration file. Which file that is depends on your distribution and use case. For me, it is /etc/pam.d/system-auth. However, with a line exactly like that, I found one problem: Console login as root, everything as expected (the “real” /tmp/). Login as user worked as well (instance directory). The problem was that the instance directory remained mounted when I used “su -” from a running user session to become root. I found the solution in the module documentation: The option unmnt_remnt makes it unmount possibly existing namespaces before setting them up for the new session:

session         required        pam_namespace.so unmnt_remnt

With this configuration, I get the unmodified file system tree after “su -“. 🙂 Hint: The options “debug” and “ignore_config_error” might be useful for testing. Have fun!

Advertisements

Responses

  1. Woo, thank you sir! Man since I installed Linux a bit under two months ago I have learned so much!

    • Just two months and already learning stuff like this? Nice! 🙂

      • Well I found this because I decided to read all the files in /etc :p (I decided to read all the files in /etc on gentoo – there were way too many files in /etc on fedora so I didn’t bother there).

      • When I started using Gentoo, it was more like “I want to have a graphical user interface, so I have to find out how to write an /etc/X11/xorg.conf. To keep the clock correct, I need to set up /etc/ntp.conf” and so on. The result is pretty much the same, though. 😉

  2. Well, as airtower pointed out.. so will I, albeit 4 years later : Well done Sophia M, for being so immaculately curious as such ! 🙂 Bet it has done you a world of good in terms of knowledge 😀


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: