On Sun, Jan 19, 2014 at 03:15:15AM +0400, Dmitry V. Levin wrote:
On Fri, Jan 17, 2014 at 06:24:16PM -0500, Stéphane Graber wrote:
> The previous patch to support user namespaces works fine with containers
> that are started from a desktop/terminal session but fails when dealing
> with containers that were started from a remote session such as ssh.
> I haven't looked at the exact reason for that in the kernel
but on the
> userspace side of things, the difference is that containers started from
> an ssh session will happily let pam open /proc/self/loginuid read-write,
> will let it read its content but will then fail with EPERM when trying
> to write to it.
> So to make the userns support bullet proof, this commit moves
the userns
> check earlier in the function (which means a small performance impact as
> it'll now happen everytime on kernels that have userns support) and will
> set rc = PAM_IGNORE instead of rc = PAM_ERROR.
> The rest of the code is still executed in the event that PAM is
run on a
> future kernel where we have some kind of audit namespace that includes a
> working loginuid.
Looks OK.
Agreed, and committed. Thanks, Stéphane!
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer
http://www.debian.org/
slangasek(a)ubuntu.com vorlon(a)debian.org