5:24 p.m.
The previous patch to support user namespaces works fine with containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.
I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.
So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.
The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.
Signed-off-by: Stéphane Graber <stgraber(a)ubuntu.com>
---
modules/pam_loginuid/pam_loginuid.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
index 54ae6f0..d258422 100644
--- a/modules/pam_loginuid/pam_loginuid.c
+++ b/modules/pam_loginuid/pam_loginuid.c
@@ -58,21 +58,22 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
static const char host_uid_map[] = " 0 0 4294967295\n";
char uid_map[sizeof(host_uid_map)];
+ /* loginuid in user namespaces currently isn't writable and in some
+ case, not even readable, so consider any failure as ignorable (but try
+ anyway, in case we hit a kernel which supports it). */
+ fd = open("/proc/self/uid_map", O_RDONLY);
+ if (fd >= 0) {
+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
+ if (strncmp(uid_map, host_uid_map, count) != 0)
+ rc = PAM_IGNORE;
+ close(fd);
+ }
+
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
if (errno == ENOENT) {
rc = PAM_IGNORE;
- } else if (errno == EACCES) {
- fd = open("/proc/self/uid_map", O_RDONLY);
- if (fd >= 0) {
- count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
- if (strncmp(uid_map, host_uid_map, count) != 0)
- rc = PAM_IGNORE;
- close(fd);
- }
- if (rc != PAM_IGNORE)
- errno = EACCES;
}
if (rc != PAM_IGNORE) {
pam_syslog(pamh, LOG_ERR,
--
1.8.5.3
5:15 p.m.
On Fri, Jan 17, 2014 at 06:24:16PM -0500, Stéphane Graber wrote:
The previous patch to support user namespaces works fine with
containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.
I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.
So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.
The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.
Looks OK.
--
ldv
10:24 p.m.
On Sun, Jan 19, 2014 at 03:15:15AM +0400, Dmitry V. Levin wrote:
On Fri, Jan 17, 2014 at 06:24:16PM -0500, Stéphane Graber wrote:
> The previous patch to support user namespaces works fine with containers
> that are started from a desktop/terminal session but fails when dealing
> with containers that were started from a remote session such as ssh.
> I haven't looked at the exact reason for that in the kernel
but on the
> userspace side of things, the difference is that containers started from
> an ssh session will happily let pam open /proc/self/loginuid read-write,
> will let it read its content but will then fail with EPERM when trying
> to write to it.
> So to make the userns support bullet proof, this commit moves
the userns
> check earlier in the function (which means a small performance impact as
> it'll now happen everytime on kernels that have userns support) and will
> set rc = PAM_IGNORE instead of rc = PAM_ERROR.
> The rest of the code is still executed in the event that PAM is
run on a
> future kernel where we have some kind of audit namespace that includes a
> working loginuid.
Looks OK.
Agreed, and committed. Thanks, Stéphane!
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek(a)ubuntu.com vorlon(a)debian.org
3771
days inactive
3773
days old
pam-developers@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Dmitry V. Levin -
Steve Langasek -
Stéphane Graber