pam_namespace improvements ..

pam_namespace improvements ..

[Janak Desai]

Hi Russell,

After going thorugh the pam_namespace thread again and after talking to
some of my peeps, I do see that a mode 000 instance parent can thwart
attacks by non-root daemons and non-polyinstanted users on polyinstanted
users.

The current implementation of pam_namespace already depends on the
existance of the instance parent and allows the admin to configure the names
of different instances. I will update the namespace.conf man page, and
the comment text in the namespace.conf file to guide admins to
appropriately create a different instance parent (and not use the poly
dir itself, like the current example suggests). That way, an admin can
create an intermediate directory like .inst with 000 or create a whole
different directory with 000.

Thanks.

-Janak



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_namespace improvements ..

[Russell Coker]

On Monday 22 May 2006 10:48, Janak Desai <janak@us.ibm.com> wrote:
> After going thorugh the pam_namespace thread again and after talking to
> some of my peeps, I do see that a mode 000 instance parent can thwart
> attacks by non-root daemons and non-polyinstanted users on polyinstanted
> users.

OK.

> The current implementation of pam_namespace already depends on the
> existance of the instance parent and allows the admin to configure the
> names of different instances. I will update the namespace.conf man page,
> and the comment text in the namespace.conf file to guide admins to
> appropriately create a different instance parent (and not use the poly
> dir itself, like the current example suggests). That way, an admin can
> create an intermediate directory like .inst with 000 or create a whole
> different directory with 000.

I'm glad that we have agreement on this issue.  However I would like to go 
further.

I would like to have the default configuration of major distributions (Fedora, 
Debian, and Gentoo) have some changes to make things more secure in this 
regard.

I believe that we need a script run at boot time to create such directories if 
they don't exist and rename a directory with the name but the wrong 
permissions before creating it if necessary.  Having the administrator create 
the directory with mkdir and then chmod it will work for Fedora IFF a 
persistent file system is used for /tmp.  Due to other issues SE Linux 
compels the use of a persistent file system for /tmp at this time (I consider 
this a bug and have long-term plans to fix it), however we also want to 
support non-SE users.

I also believe that pam_namespace should have the optional ability (determined 
by a command-line parameter or a config-file setting) to verify the Unix 
permissions and SE Linux context of the mode 000 directory and reject user 
logins if the permissions are considered to be inappropriate.

Configuration tools to support enabling all this functionality in a convenient 
manner would also be good.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_namespace improvements ..

[Janak Desai]

Russell Coker wrote:

>On Monday 22 May 2006 10:48, Janak Desai <janak@us.ibm.com> wrote:
>  
>
>>After going thorugh the pam_namespace thread again and after talking to
>>some of my peeps, I do see that a mode 000 instance parent can thwart
>>attacks by non-root daemons and non-polyinstanted users on polyinstanted
>>users.
>>    
>>
>
>OK.
>
>  
>
>>The current implementation of pam_namespace already depends on the
>>existance of the instance parent and allows the admin to configure the
>>names of different instances. I will update the namespace.conf man page,
>>and the comment text in the namespace.conf file to guide admins to
>>appropriately create a different instance parent (and not use the poly
>>dir itself, like the current example suggests). That way, an admin can
>>create an intermediate directory like .inst with 000 or create a whole
>>different directory with 000.
>>    
>>
>
>I'm glad that we have agreement on this issue.  However I would like to go 
>further.
>
>I would like to have the default configuration of major distributions (Fedora, 
>Debian, and Gentoo) have some changes to make things more secure in this 
>regard.
>
>I believe that we need a script run at boot time to create such directories if 
>they don't exist and rename a directory with the name but the wrong 
>permissions before creating it if necessary.  Having the administrator create 
>the directory with mkdir and then chmod it will work for Fedora IFF a 
>persistent file system is used for /tmp.  Due to other issues SE Linux 
>compels the use of a persistent file system for /tmp at this time (I consider 
>this a bug and have long-term plans to fix it), however we also want to 
>support non-SE users.
>
>I also believe that pam_namespace should have the optional ability (determined 
>by a command-line parameter or a config-file setting) to verify the Unix 
>permissions and SE Linux context of the mode 000 directory and reject user 
>logins if the permissions are considered to be inappropriate.
>
>Configuration tools to support enabling all this functionality in a convenient 
>manner would also be good.
>
>  
>
Ok, thanks. I will add an option to pam_namespace to allow an admin to 
NOT check
the mode of the instance parent. By default, pam_namespace will require 
the mode
to be 000. As far as SELinux context, what is the appropriate context 
for an instance
parent? Isn't it ok to leave that upto the system security policy? 
Because of different
types of polyinstantiated directories, I cannot comprehend a definitive 
context
that pam_namespace could/should check for.

Thanks.

-Janak

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] pam_namespace : option to check instance parent mode and man page(s) updates

[Janak Desai]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]


This patch, which applies on top of the latest pam_namespace in rawhide, adds a new
command line option to allow an admin to bypass checking of the instance parent 
mode. It also updates namespace.conf and pam_namespace man pages to add text
relating this new option, interaction with share-subtree and possible config 
changes that would allow the use of pam_namespace with gdm and polyinstantiation
of /tmp.

Signed-off-by: Janak Desai <janak@us.ibm.com>

---

 README               |   95 ++++++++++++++++++++++++++++++--------------------- namespace.conf       |   22 +++++++++--
 namespace.conf.5.xml |   42 +++++++++++++---------
 pam_namespace.8.xml  |   79 ++++++++++++++++++++++++++++++++++++++++++
 pam_namespace.c      |   49 +++++++++++++++++++++++++-
 5 files changed, 227 insertions(+), 60 deletions(-)



[-- Attachment #2: pns0530.patch --]
[-- Type: text/x-patch, Size: 18743 bytes --]

diff -Naurp pam_namespace0530/modules/pam_namespace/README pam_namespace0530+patch/modules/pam_namespace/README
--- pam_namespace0530/modules/pam_namespace/README	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/README	2006-05-31 19:48:09.000000000 +0000
@@ -3,17 +3,17 @@ pam_namespace module:
 Setup a private namespace with polyinstantiated directories.
 
 THEORY OF OPERATION:
-The pam namespace module consults /etc/security/namespace.conf 
+The pam namespace module consults /etc/security/namespace.conf
 configuration file and sets up a private namespace with polyinstantiated
 directories for a session managed by PAM. A skeleton namespace.conf
-installed by default provides example for polyinstantiating /tmp 
+installed by default provides example for polyinstantiating /tmp, /var/tmp
 and users' home directory.
 
 If an executable script /etc/security/namespace.init exists, it
 is used to initialize the namespace every time a new instance directory
 is created. The script receives the polyinstantiated directory path
 and the instance directory path as its arguments.
-                        
+
 Each line in namespace.conf describes a limit for a user in the form:
 
 <polydir>  <instance_prefix>  <method>  <list_of_uids>
@@ -29,7 +29,7 @@ Where:
         the prefix to generate the final instance directory path.
         This directory is created if it did not exist already, and is then
 	bind mounted on the <polydir> to provide an instance of <polydir>
-	based on the <method> column. The special string $HOME is replaced with 
+	based on the <method> column. The special string $HOME is replaced with
 	the user's home directory, and $USER with the username.
 	This field cannot be blank.
 
@@ -54,43 +54,60 @@ EXAMPLE /etc/security/namespace.conf con
 # /var/tmp, whereas home directories will be polyinstantiated for all
 # users. The user name and/or context is appended to the instance prefix.
 #
-/tmp     /tmp-inst/       both      root,adm
-/var/tmp /var/tmp-inst/   both      root,adm
-$HOME    $HOME.inst-      context
-    
-ARGUMENTS RECOGNIZED:
-    debug		Verbose logging by syslog
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 1000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+/tmp     /tmp-inst/       	both      root,adm
+/var/tmp /var/tmp/tmp-inst/   	both      root,adm
+$HOME    $HOME/$USER.inst/inst- context
 
-    unmnt_remnt		For programs such as su and newrole, the login
-			session has already setup a polyinstantiated 
-			namespace. For these programs, polyinstantiation
-			is performed based on new user id or security
-			context, however the command first needs to 
-			undo the polyinstantiation performed by login.
-			This argument instructs the command to 
-			first undo previous polyinstantiation before
-			proceeding with new polyinstantiation based on
-			new id/context.
-
-    unmnt_only		For trusted programs that want to undo any
-			existing bind mounts and process instance 
-			directories on their own, this argument allows
-			them to unmount currently mounted instance
-			directories.
-
-    require_selinux	If selinux is not enabled, return failure.
-
-    gen_hash		Instead of using the security context string
-			for the instance name, generate and use its
-			md5 hash.
-
-    ignore_config_error	If a line in the configuration file corresponding
-			to a polyinstantiated directory contains format
-			error, skip that line process the next line.
-			Without this option, pam will return an error
-			to the calling program resulting in termination
-			of the session.
+ARGUMENTS RECOGNIZED:
+    debug
+	Verbose logging by syslog
 
+    unmnt_remnt
+	For programs such as su and newrole, the login session has
+	already setup a polyinstantiated namespace. For these programs,
+	polyinstantiation is performed based on new user id or security
+	context, however the command first needs to undo the
+	polyinstantiation performed by login. This argument instructs
+	the command to first undo previous polyinstantiation before
+	proceeding with new polyinstantiation based on new id/context.
+
+    unmnt_only
+	For trusted programs that want to undo any existing bind mounts
+	and process instance directories on their own, this argument
+	allows them to unmount currently mounted instance directories.
+
+    require_selinux
+	If selinux is not enabled, return failure.
+
+    gen_hash
+	Instead of using the security context string for the instance
+	name, generate and use its md5 hash.
+
+    ignore_config_error
+	If a line in the configuration file corresponding to a
+	polyinstantiated directory contains format error, skip that
+	line process the next line. Without this option, pam will return
+	an error to the calling program resulting in termination
+	of the session.
+
+    ignore_instance_parent_mode
+	Instance parent directories by default are expected to have
+	the restrictive mode of 1000. Using this option, an administrator
+	can choose to ignore the mode of the instance parent.
 
 MODULE SERVICES PROVIDED:
 	session            open_session and close_session
diff -Naurp pam_namespace0530/modules/pam_namespace/namespace.conf pam_namespace0530+patch/modules/pam_namespace/namespace.conf
--- pam_namespace0530/modules/pam_namespace/namespace.conf	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/namespace.conf	2006-05-31 19:19:39.000000000 +0000
@@ -1,7 +1,7 @@
 # /etc/security/namespace.conf
 #
 # See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
-# 
+#
 # Uncommenting the following three lines will polyinstantiate
 # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
 # be polyinstantiated based on both security context as well as user
@@ -11,6 +11,20 @@
 # directories will be polyinstantiated for all users. The user name
 # and/or context is appended to the instance prefix.
 #
-#/tmp     /tmp.inst/          both      adm
-#/var/tmp /var/tmp.inst/      both      adm
-#$HOME    $HOME.inst-         context
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 1000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+#/tmp     /tmp-inst/       	both      root,adm
+#/var/tmp /var/tmp/tmp-inst/   	both      root,adm
+#$HOME    $HOME/$USER.inst/inst- context
diff -Naurp pam_namespace0530/modules/pam_namespace/namespace.conf.5.xml pam_namespace0530+patch/modules/pam_namespace/namespace.conf.5.xml
--- pam_namespace0530/modules/pam_namespace/namespace.conf.5.xml	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/namespace.conf.5.xml	2006-05-31 19:22:13.000000000 +0000
@@ -43,7 +43,7 @@
    </para>
 
     <para>
-      <replaceable>polydir</replaceable> <replaceable>instance_prefex</replaceable> <replaceable>method</replaceable> <replaceable>list_of_uids</replaceable>
+      <replaceable>polydir</replaceable> <replaceable> instance_prefix</replaceable> <replaceable> method</replaceable> <replaceable> list_of_uids</replaceable>
     </para>
 
     <para>
@@ -59,11 +59,14 @@
       of &lt;polydir&gt;. The directory security context, or optionally its
       md5sum string (32 hex characters), is appended to the prefix to
       generate the final instance directory path. This directory is
-      created if it did not exist already, and is then bind mounted on
-      the &lt;polydir&gt; to provide an instance of &lt;polydir&gt; based on the
+      created if it did not exist already, and is then bind mounted on the
+      &lt;polydir&gt; to provide an instance of &lt;polydir&gt; based on the
       &lt;method&gt; column. The special string $HOME is replaced with the
-      user's home directory, and $USER with the username. This field
-      cannot be blank.
+      user's home directory, and $USER with the username. This field cannot
+      be blank. The directory where polyinstantiated instances are to be
+      created, must exist and must have, by default, the mode of 1000.  The
+      requirement that the instance parent be of mode 1000 can be overridden
+      with the command line option &lt;ignore_instance_parent_mode&gt;
     </para>
 
     <para>
@@ -92,20 +95,27 @@
       <filename>/etc/security/namespace.conf</filename>.
     </para>
 
-    <para>
+    <literallayout>
       # The following three lines will polyinstantiate /tmp,
       # /var/tmp and user's home directories. /tmp and /var/tmp
-      # will be polyinstantiated based on both security context as well
-      # as user name, whereas home directory will be polyinstantiated
-      # based on security context only. Polyinstantiation will not be
-      # performed for user root and adm for directories /tmp and
-      # /var/tmp, whereas home directories will be polyinstantiated for
-      # all users.
+      # will be polyinstantiated based on both security context
+      # as well as user name, whereas home directory will be
+      # polyinstantiated based on security context only.
+      # Polyinstantiation will not be performed for user root
+      # and adm for directories /tmp and /var/tmp, whereas home
+      # directories will be polyinstantiated for all users.
       #
-      /tmp     /tmp/tmp.inst-$USER-       both      root,adm
-      /var/tmp /var/tmp/tmp.inst-$USER-   both      root,adm
-      $HOME    $HOME.inst-                context
-    </para>
+      # Note that instance directories do not have to reside inside
+      # the polyinstantiated directory. In the examples below,
+      # instances of /tmp will be created in /tmp-inst directory,
+      # where as instances of /var/tmp and users home directories
+      # will reside within the directories that are being
+      # polyinstantiated.
+      #
+      /tmp     /tmp-inst/       	both      root,adm
+      /var/tmp /var/tmp/tmp-inst/   	both      root,adm
+      $HOME    $HOME/$USER.inst/inst- context
+    </literallayout>
 
     <para>
       For the &lt;service&gt;s you need polyinstantiation (login for example)
diff -Naurp pam_namespace0530/modules/pam_namespace/pam_namespace.8.xml pam_namespace0530+patch/modules/pam_namespace/pam_namespace.8.xml
--- pam_namespace0530/modules/pam_namespace/pam_namespace.8.xml	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/pam_namespace.8.xml	2006-05-31 19:25:30.000000000 +0000
@@ -40,6 +40,9 @@
       <arg choice="opt">
         ignore_config_error
       </arg>
+      <arg choice="opt">
+        ignore_instance_parent_mode
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -56,6 +59,19 @@
       directory is created. The script receives the polyinstantiated
       directory path and the instance directory path as its arguments.
     </para>
+
+    <para>
+      The pam_namespace module disassociates the session namespace from
+      the parent namespace. Any mounts/unmounts performed in the parent
+      namespace, such as mounting of devices, are not reflected in the
+      session namespace. To propogate selected mount/unmount events from
+      the parent namespace into the disassociated session namespace, an
+      administrator may use the special shared-subtree feature. For
+      additional information on shared-subtree feature, please refer to
+      the mount(8) man page and the shared-subtree description at
+      http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
+    </para>
+
   </refsect1>
 
   <refsect1 id="pam_namespace-options">
@@ -148,6 +164,21 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>ignore_instance_parent_mode</option>
+        </term>
+        <listitem>
+          <para>
+	    Instance parent directories by default are expected to have
+	    the restrictive mode of 1000. Using this option, an administrator
+	    can choose to ignore the mode of the instance parent. This option
+            should be used with caution as it will reduce security and
+            isolation goals of the polyinstantiation mechanism.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
@@ -200,6 +231,51 @@
     </variablelist>
   </refsect1>
 
+  <refsect1 id="pam_namespace-examples">
+    <title>EXAMPLES</title>
+
+    <para>
+      For the &lt;service&gt;s you need polyinstantiation (login for example)
+      put the following line in /etc/pam.d/&lt;service&gt; as the last line for
+      session group:
+    </para>
+
+    <para>
+      session  required  pam_namespace.so [arguments]
+    </para>
+
+    <para>
+      To use polyinstantiation with graphical display manager gdm, insert the
+      following line, before exit 0, in /etc/gdm/PostSession/Default:
+    </para>
+
+    <para>
+      /usr/sbin/gdm-safe-restart
+    </para>
+
+    <para>
+      This allows gdm to restart after each session and appropriately adjust
+      namesapces of display manager and the X server. If polyinstantiation of
+      /tmp is desired along with the graphical environment, then addtional
+      configuration changes are needed to address the interaction of X server
+      and font server namespaces with their use of /tmp to create communication
+      sockets. Perform the following changes to use graphical environment
+      with polyinstantiation of /tmp:
+    </para>
+
+    <para>
+    <literallayout>
+      1. Setup default init state to 3, by modifying /etc/inittab
+      2. Disable the use of font server by commenting out "FontPath"
+         line in /etc/X11/xorg.conf.
+      3. Ensure that the login service is setup to use pam_namespace,
+         as described above, by modifying /etc/pam.d/login.
+      4. Use the "startx" command after a successful terminal login.
+    </literallayout>
+    </para>
+
+  </refsect1>
+
   <refsect1 id="pam_namespace-see_also">
     <title>SEE ALSO</title>
     <para>
@@ -210,6 +286,9 @@
         <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
+        <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
         <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
     </para>
diff -Naurp pam_namespace0530/modules/pam_namespace/pam_namespace.c pam_namespace0530+patch/modules/pam_namespace/pam_namespace.c
--- pam_namespace0530/modules/pam_namespace/pam_namespace.c	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/pam_namespace.c	2006-05-31 19:32:53.000000000 +0000
@@ -85,6 +85,7 @@
 #define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
+#define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
 
 /*
  * Polyinstantiation method options, based on user, security context
@@ -630,8 +631,9 @@ static int create_dirs(const struct poly
 	struct instance_data *idata)
 #endif
 {
-    struct stat statbuf, newstatbuf;
+    struct stat statbuf, newstatbuf, instpbuf;
     int fd, pid, status;
+    char *inst_parent, *trailing_slash;
 
     /*
      * stat the directory to polyinstantiate, so its owner-group-mode
@@ -653,6 +655,49 @@ static int create_dirs(const struct poly
     }
 
     /*
+     * stat the instance parent path to make sure it exists
+     * and is a directory. Check that its mode is 1000 (unless the
+     * admin explicitly instructs to ignore the instance parent
+     * mode by the "ignore_instance_parent_mode" argument).
+     */
+    inst_parent = (char *) malloc(strlen(ipath)+1);
+    if (!inst_parent) {
+	pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
+        return PAM_SESSION_ERR;
+    }
+
+    strcpy(inst_parent, ipath);
+    trailing_slash = strrchr(inst_parent, '/');
+    if (trailing_slash)
+        *trailing_slash = '\0';
+
+    if (stat(inst_parent, &instpbuf) < 0) {
+        pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent);
+        free(inst_parent);
+        return PAM_SESSION_ERR;
+    }
+
+    /*
+     * Make sure we are dealing with a directory
+     */
+    if (!S_ISDIR(instpbuf.st_mode)) {
+	pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
+		inst_parent);
+        free(inst_parent);
+        return PAM_SESSION_ERR;
+    }
+
+    if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
+        if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
+	    pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
+		    inst_parent);
+            free(inst_parent);
+            return PAM_SESSION_ERR;
+        }
+    }
+    free(inst_parent);
+
+    /*
      * Create instance directory and set its security context to the context
      * returned by the security policy. Set its mode and ownership
      * attributes to match that of the original directory that is being
@@ -1157,6 +1202,8 @@ PAM_EXTERN int pam_sm_open_session(pam_h
             idata.flags |= PAMNS_GEN_HASH;
         if (strcmp(argv[i], "ignore_config_error") == 0)
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
+        if (strcmp(argv[i], "ignore_instance_parent_mode") == 0)
+            idata.flags |= PAMNS_IGN_INST_PARENT_MODE;
         if (strcmp(argv[i], "unmnt_remnt") == 0)
             unmnt = UNMNT_REMNT;
         if (strcmp(argv[i], "unmnt_only") == 0)

Re: [PATCH] pam_namespace : option to check instance parent mode and man page(s) updates

[Janak Desai]

Tomas Mraz wrote:
> On Wed, 2006-05-31 at 17:32 -0400, Janak Desai wrote:
> 
>>This patch, which applies on top of the latest pam_namespace in rawhide, adds a new
>>command line option to allow an admin to bypass checking of the instance parent 
>>mode. It also updates namespace.conf and pam_namespace man pages to add text
>>relating this new option, interaction with share-subtree and possible config 
>>changes that would allow the use of pam_namespace with gdm and polyinstantiation
>>of /tmp.
> 
> 
> In the documentation files there is always written that the mode of the
> parent directory is checked to be 1000 but in the code you check only
> the user, group and other bits. Should the documentation be adjusted to
> say 000?

Oops. The documentation is correct. The code should also check for the
sticky bit. I will fix that and send updated patch later this afternoon.

-Janak

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] pam_namespace : option to check instance parent mode and man page(s) updates - v2

[Janak Desai]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]


This patch, which applies on top of the latest pam_namespace in rawhide, 
adds a new command line option to allow an admin to bypass checking of 
the instance parent mode. It also updates namespace.conf and pam_namespace
man pages to add text relating this new option, interaction with 
share-subtree and possible config changes that would allow the use of
pam_namespace with gdm and polyinstantiation of /tmp. 

The only changes to this patch since the last time it was posted on
the selinux mailing list yesterday, are the documentation updates to
change the instance parent mode references to 000 from 1000. Sticky
bits are not needed since the directory itself is not writable.

Signed-off-by: Janak Desai <janak@us.ibm.com>

--- 

README               |   95 ++++++++++++++++++++++++++++++--------------------- namespace.conf       |   22 +++++++++--
 namespace.conf.5.xml |   42 +++++++++++++---------
 pam_namespace.8.xml  |   79 ++++++++++++++++++++++++++++++++++++++++++
 pam_namespace.c      |   49 +++++++++++++++++++++++++-
 5 files changed, 227 insertions(+), 60 deletions(-)





[-- Attachment #2: pns0530a.patch --]
[-- Type: text/x-patch, Size: 18736 bytes --]

diff -Naurp pam_namespace0530/modules/pam_namespace/README pam_namespace0530+patch/modules/pam_namespace/README
--- pam_namespace0530/modules/pam_namespace/README	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/README	2006-06-01 16:31:44.000000000 +0000
@@ -3,17 +3,17 @@ pam_namespace module:
 Setup a private namespace with polyinstantiated directories.
 
 THEORY OF OPERATION:
-The pam namespace module consults /etc/security/namespace.conf 
+The pam namespace module consults /etc/security/namespace.conf
 configuration file and sets up a private namespace with polyinstantiated
 directories for a session managed by PAM. A skeleton namespace.conf
-installed by default provides example for polyinstantiating /tmp 
+installed by default provides example for polyinstantiating /tmp, /var/tmp
 and users' home directory.
 
 If an executable script /etc/security/namespace.init exists, it
 is used to initialize the namespace every time a new instance directory
 is created. The script receives the polyinstantiated directory path
 and the instance directory path as its arguments.
-                        
+
 Each line in namespace.conf describes a limit for a user in the form:
 
 <polydir>  <instance_prefix>  <method>  <list_of_uids>
@@ -29,7 +29,7 @@ Where:
         the prefix to generate the final instance directory path.
         This directory is created if it did not exist already, and is then
 	bind mounted on the <polydir> to provide an instance of <polydir>
-	based on the <method> column. The special string $HOME is replaced with 
+	based on the <method> column. The special string $HOME is replaced with
 	the user's home directory, and $USER with the username.
 	This field cannot be blank.
 
@@ -54,43 +54,60 @@ EXAMPLE /etc/security/namespace.conf con
 # /var/tmp, whereas home directories will be polyinstantiated for all
 # users. The user name and/or context is appended to the instance prefix.
 #
-/tmp     /tmp-inst/       both      root,adm
-/var/tmp /var/tmp-inst/   both      root,adm
-$HOME    $HOME.inst-      context
-    
-ARGUMENTS RECOGNIZED:
-    debug		Verbose logging by syslog
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+/tmp     /tmp-inst/       	both      root,adm
+/var/tmp /var/tmp/tmp-inst/   	both      root,adm
+$HOME    $HOME/$USER.inst/inst- context
 
-    unmnt_remnt		For programs such as su and newrole, the login
-			session has already setup a polyinstantiated 
-			namespace. For these programs, polyinstantiation
-			is performed based on new user id or security
-			context, however the command first needs to 
-			undo the polyinstantiation performed by login.
-			This argument instructs the command to 
-			first undo previous polyinstantiation before
-			proceeding with new polyinstantiation based on
-			new id/context.
-
-    unmnt_only		For trusted programs that want to undo any
-			existing bind mounts and process instance 
-			directories on their own, this argument allows
-			them to unmount currently mounted instance
-			directories.
-
-    require_selinux	If selinux is not enabled, return failure.
-
-    gen_hash		Instead of using the security context string
-			for the instance name, generate and use its
-			md5 hash.
-
-    ignore_config_error	If a line in the configuration file corresponding
-			to a polyinstantiated directory contains format
-			error, skip that line process the next line.
-			Without this option, pam will return an error
-			to the calling program resulting in termination
-			of the session.
+ARGUMENTS RECOGNIZED:
+    debug
+	Verbose logging by syslog
 
+    unmnt_remnt
+	For programs such as su and newrole, the login session has
+	already setup a polyinstantiated namespace. For these programs,
+	polyinstantiation is performed based on new user id or security
+	context, however the command first needs to undo the
+	polyinstantiation performed by login. This argument instructs
+	the command to first undo previous polyinstantiation before
+	proceeding with new polyinstantiation based on new id/context.
+
+    unmnt_only
+	For trusted programs that want to undo any existing bind mounts
+	and process instance directories on their own, this argument
+	allows them to unmount currently mounted instance directories.
+
+    require_selinux
+	If selinux is not enabled, return failure.
+
+    gen_hash
+	Instead of using the security context string for the instance
+	name, generate and use its md5 hash.
+
+    ignore_config_error
+	If a line in the configuration file corresponding to a
+	polyinstantiated directory contains format error, skip that
+	line process the next line. Without this option, pam will return
+	an error to the calling program resulting in termination
+	of the session.
+
+    ignore_instance_parent_mode
+	Instance parent directories by default are expected to have
+	the restrictive mode of 000. Using this option, an administrator
+	can choose to ignore the mode of the instance parent.
 
 MODULE SERVICES PROVIDED:
 	session            open_session and close_session
diff -Naurp pam_namespace0530/modules/pam_namespace/namespace.conf pam_namespace0530+patch/modules/pam_namespace/namespace.conf
--- pam_namespace0530/modules/pam_namespace/namespace.conf	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/namespace.conf	2006-06-01 16:31:44.000000000 +0000
@@ -1,7 +1,7 @@
 # /etc/security/namespace.conf
 #
 # See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
-# 
+#
 # Uncommenting the following three lines will polyinstantiate
 # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
 # be polyinstantiated based on both security context as well as user
@@ -11,6 +11,20 @@
 # directories will be polyinstantiated for all users. The user name
 # and/or context is appended to the instance prefix.
 #
-#/tmp     /tmp.inst/          both      adm
-#/var/tmp /var/tmp.inst/      both      adm
-#$HOME    $HOME.inst-         context
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+#/tmp     /tmp-inst/       	both      root,adm
+#/var/tmp /var/tmp/tmp-inst/   	both      root,adm
+#$HOME    $HOME/$USER.inst/inst- context
diff -Naurp pam_namespace0530/modules/pam_namespace/namespace.conf.5.xml pam_namespace0530+patch/modules/pam_namespace/namespace.conf.5.xml
--- pam_namespace0530/modules/pam_namespace/namespace.conf.5.xml	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/namespace.conf.5.xml	2006-06-01 16:31:44.000000000 +0000
@@ -43,7 +43,7 @@
    </para>
 
     <para>
-      <replaceable>polydir</replaceable> <replaceable>instance_prefex</replaceable> <replaceable>method</replaceable> <replaceable>list_of_uids</replaceable>
+      <replaceable>polydir</replaceable> <replaceable> instance_prefix</replaceable> <replaceable> method</replaceable> <replaceable> list_of_uids</replaceable>
     </para>
 
     <para>
@@ -59,11 +59,14 @@
       of &lt;polydir&gt;. The directory security context, or optionally its
       md5sum string (32 hex characters), is appended to the prefix to
       generate the final instance directory path. This directory is
-      created if it did not exist already, and is then bind mounted on
-      the &lt;polydir&gt; to provide an instance of &lt;polydir&gt; based on the
+      created if it did not exist already, and is then bind mounted on the
+      &lt;polydir&gt; to provide an instance of &lt;polydir&gt; based on the
       &lt;method&gt; column. The special string $HOME is replaced with the
-      user's home directory, and $USER with the username. This field
-      cannot be blank.
+      user's home directory, and $USER with the username. This field cannot
+      be blank. The directory where polyinstantiated instances are to be
+      created, must exist and must have, by default, the mode of 000.  The
+      requirement that the instance parent be of mode 000 can be overridden
+      with the command line option &lt;ignore_instance_parent_mode&gt;
     </para>
 
     <para>
@@ -92,20 +95,27 @@
       <filename>/etc/security/namespace.conf</filename>.
     </para>
 
-    <para>
+    <literallayout>
       # The following three lines will polyinstantiate /tmp,
       # /var/tmp and user's home directories. /tmp and /var/tmp
-      # will be polyinstantiated based on both security context as well
-      # as user name, whereas home directory will be polyinstantiated
-      # based on security context only. Polyinstantiation will not be
-      # performed for user root and adm for directories /tmp and
-      # /var/tmp, whereas home directories will be polyinstantiated for
-      # all users.
+      # will be polyinstantiated based on both security context
+      # as well as user name, whereas home directory will be
+      # polyinstantiated based on security context only.
+      # Polyinstantiation will not be performed for user root
+      # and adm for directories /tmp and /var/tmp, whereas home
+      # directories will be polyinstantiated for all users.
       #
-      /tmp     /tmp/tmp.inst-$USER-       both      root,adm
-      /var/tmp /var/tmp/tmp.inst-$USER-   both      root,adm
-      $HOME    $HOME.inst-                context
-    </para>
+      # Note that instance directories do not have to reside inside
+      # the polyinstantiated directory. In the examples below,
+      # instances of /tmp will be created in /tmp-inst directory,
+      # where as instances of /var/tmp and users home directories
+      # will reside within the directories that are being
+      # polyinstantiated.
+      #
+      /tmp     /tmp-inst/       	both      root,adm
+      /var/tmp /var/tmp/tmp-inst/   	both      root,adm
+      $HOME    $HOME/$USER.inst/inst- context
+    </literallayout>
 
     <para>
       For the &lt;service&gt;s you need polyinstantiation (login for example)
diff -Naurp pam_namespace0530/modules/pam_namespace/pam_namespace.8.xml pam_namespace0530+patch/modules/pam_namespace/pam_namespace.8.xml
--- pam_namespace0530/modules/pam_namespace/pam_namespace.8.xml	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/pam_namespace.8.xml	2006-06-01 16:31:44.000000000 +0000
@@ -40,6 +40,9 @@
       <arg choice="opt">
         ignore_config_error
       </arg>
+      <arg choice="opt">
+        ignore_instance_parent_mode
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -56,6 +59,19 @@
       directory is created. The script receives the polyinstantiated
       directory path and the instance directory path as its arguments.
     </para>
+
+    <para>
+      The pam_namespace module disassociates the session namespace from
+      the parent namespace. Any mounts/unmounts performed in the parent
+      namespace, such as mounting of devices, are not reflected in the
+      session namespace. To propogate selected mount/unmount events from
+      the parent namespace into the disassociated session namespace, an
+      administrator may use the special shared-subtree feature. For
+      additional information on shared-subtree feature, please refer to
+      the mount(8) man page and the shared-subtree description at
+      http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
+    </para>
+
   </refsect1>
 
   <refsect1 id="pam_namespace-options">
@@ -148,6 +164,21 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>ignore_instance_parent_mode</option>
+        </term>
+        <listitem>
+          <para>
+	    Instance parent directories by default are expected to have
+	    the restrictive mode of 000. Using this option, an administrator
+	    can choose to ignore the mode of the instance parent. This option
+            should be used with caution as it will reduce security and
+            isolation goals of the polyinstantiation mechanism.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
@@ -200,6 +231,51 @@
     </variablelist>
   </refsect1>
 
+  <refsect1 id="pam_namespace-examples">
+    <title>EXAMPLES</title>
+
+    <para>
+      For the &lt;service&gt;s you need polyinstantiation (login for example)
+      put the following line in /etc/pam.d/&lt;service&gt; as the last line for
+      session group:
+    </para>
+
+    <para>
+      session  required  pam_namespace.so [arguments]
+    </para>
+
+    <para>
+      To use polyinstantiation with graphical display manager gdm, insert the
+      following line, before exit 0, in /etc/gdm/PostSession/Default:
+    </para>
+
+    <para>
+      /usr/sbin/gdm-safe-restart
+    </para>
+
+    <para>
+      This allows gdm to restart after each session and appropriately adjust
+      namesapces of display manager and the X server. If polyinstantiation of
+      /tmp is desired along with the graphical environment, then addtional
+      configuration changes are needed to address the interaction of X server
+      and font server namespaces with their use of /tmp to create communication
+      sockets. Perform the following changes to use graphical environment
+      with polyinstantiation of /tmp:
+    </para>
+
+    <para>
+    <literallayout>
+      1. Setup default init state to 3, by modifying /etc/inittab
+      2. Disable the use of font server by commenting out "FontPath"
+         line in /etc/X11/xorg.conf.
+      3. Ensure that the login service is setup to use pam_namespace,
+         as described above, by modifying /etc/pam.d/login.
+      4. Use the "startx" command after a successful terminal login.
+    </literallayout>
+    </para>
+
+  </refsect1>
+
   <refsect1 id="pam_namespace-see_also">
     <title>SEE ALSO</title>
     <para>
@@ -210,6 +286,9 @@
         <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
+        <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
         <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
     </para>
diff -Naurp pam_namespace0530/modules/pam_namespace/pam_namespace.c pam_namespace0530+patch/modules/pam_namespace/pam_namespace.c
--- pam_namespace0530/modules/pam_namespace/pam_namespace.c	2006-05-31 18:57:41.000000000 +0000
+++ pam_namespace0530+patch/modules/pam_namespace/pam_namespace.c	2006-06-01 16:31:44.000000000 +0000
@@ -85,6 +85,7 @@
 #define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
+#define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
 
 /*
  * Polyinstantiation method options, based on user, security context
@@ -630,8 +631,9 @@ static int create_dirs(const struct poly
 	struct instance_data *idata)
 #endif
 {
-    struct stat statbuf, newstatbuf;
+    struct stat statbuf, newstatbuf, instpbuf;
     int fd, pid, status;
+    char *inst_parent, *trailing_slash;
 
     /*
      * stat the directory to polyinstantiate, so its owner-group-mode
@@ -653,6 +655,49 @@ static int create_dirs(const struct poly
     }
 
     /*
+     * stat the instance parent path to make sure it exists
+     * and is a directory. Check that its mode is 000 (unless the
+     * admin explicitly instructs to ignore the instance parent
+     * mode by the "ignore_instance_parent_mode" argument).
+     */
+    inst_parent = (char *) malloc(strlen(ipath)+1);
+    if (!inst_parent) {
+	pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
+        return PAM_SESSION_ERR;
+    }
+
+    strcpy(inst_parent, ipath);
+    trailing_slash = strrchr(inst_parent, '/');
+    if (trailing_slash)
+        *trailing_slash = '\0';
+
+    if (stat(inst_parent, &instpbuf) < 0) {
+        pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent);
+        free(inst_parent);
+        return PAM_SESSION_ERR;
+    }
+
+    /*
+     * Make sure we are dealing with a directory
+     */
+    if (!S_ISDIR(instpbuf.st_mode)) {
+	pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
+		inst_parent);
+        free(inst_parent);
+        return PAM_SESSION_ERR;
+    }
+
+    if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
+        if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
+	    pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
+		    inst_parent);
+            free(inst_parent);
+            return PAM_SESSION_ERR;
+        }
+    }
+    free(inst_parent);
+
+    /*
      * Create instance directory and set its security context to the context
      * returned by the security policy. Set its mode and ownership
      * attributes to match that of the original directory that is being
@@ -1157,6 +1202,8 @@ PAM_EXTERN int pam_sm_open_session(pam_h
             idata.flags |= PAMNS_GEN_HASH;
         if (strcmp(argv[i], "ignore_config_error") == 0)
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
+        if (strcmp(argv[i], "ignore_instance_parent_mode") == 0)
+            idata.flags |= PAMNS_IGN_INST_PARENT_MODE;
         if (strcmp(argv[i], "unmnt_remnt") == 0)
             unmnt = UNMNT_REMNT;
         if (strcmp(argv[i], "unmnt_only") == 0)