While stress-testing the module in
https://lists.fedorahosted.org/pipermail/pam-developers/2012-October/0003...,
I found that the current pam_xauth does not work properly when the old
home-directory is hidden after the unshare (the same problem can occur
with pam_namespace). The reason is that the reading of xauth-cookie
needs to be done before the unshare, and the writing needs to be done
after the unshare. Attached is a python mockup (to be called by
pam_python from
http://ace-host.stuart.id.au/russell/files/pam_python/)
of a revised xauth module.
The .conf file should contain something like:
session optional pam_python.so /etc/pam.d/xauth.py get
# The following include might make the current home-directory
# unreadable (by pam_namespace or other modules doing pam_unshare)
session include system-auth
session optional pam_python.so /etc/pam.d/xauth.py set
Regards
Anders Blomdell
--
Anders Blomdell Email: anders.blomdell(a)control.lth.se
Department of Automatic Control
Lund University Phone: +46 46 222 4625
P.O. Box 118 Fax: +46 46 138118
SE-221 00 Lund, Sweden