]>
Commit | Line | Data |
---|---|---|
83f626c2 JR |
1 | --- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400 |
2 | +++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500 | |
3 | @@ -1266,12 +1266,30 @@ | |
4 | idata.flags |= PAMNS_DEBUG; | |
5 | if (strcmp(argv[i], "ignore_config_error") == 0) | |
6 | idata.flags |= PAMNS_IGN_CONFIG_ERR; | |
7 | + if (strcmp(argv[i], "no_unmount_on_close") == 0) | |
8 | + idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; | |
9 | } | |
10 | ||
11 | if (idata.flags & PAMNS_DEBUG) | |
12 | pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); | |
13 | ||
14 | /* | |
15 | + * For certain trusted programs such as newrole, open session | |
16 | + * is called from a child process while the parent perfoms | |
17 | + * close session and pam end functions. For these commands | |
18 | + * pam_close_session should not perform the unmount of the | |
19 | + * polyinstantiatied directory because it will result in | |
20 | + * undoing of parents polyinstantiatiaion. These commands | |
21 | + * will invoke pam_namespace with the "no_unmount_on_close" | |
22 | + * argument. | |
23 | + */ | |
24 | + if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { | |
25 | + if (idata.flags & PAMNS_DEBUG) | |
26 | + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); | |
27 | + return PAM_SUCCESS; | |
28 | + } | |
29 | + | |
30 | + /* | |
31 | * Lookup user and fill struct items | |
32 | */ | |
33 | retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); | |
34 | --- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400 | |
35 | +++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500 | |
36 | @@ -43,6 +43,9 @@ | |
37 | <arg choice="opt"> | |
38 | ignore_instance_parent_mode | |
39 | </arg> | |
40 | + <arg choice="opt"> | |
41 | + no_unmount_on_close | |
42 | + </arg> | |
43 | </cmdsynopsis> | |
44 | </refsynopsisdiv> | |
45 | ||
46 | @@ -179,6 +182,22 @@ | |
47 | </listitem> | |
48 | </varlistentry> | |
49 | ||
50 | + <varlistentry> | |
51 | + <term> | |
52 | + <option>no_unmount_on_close</option> | |
53 | + </term> | |
54 | + <listitem> | |
55 | + <para> | |
56 | + For certain trusted programs such as newrole, open session | |
57 | + is called from a child process while the parent perfoms | |
58 | + close session and pam end functions. For these commands | |
59 | + use this option to instruct pam_close_session to not | |
60 | + unmount the bind mounted polyinstantiated directory in the | |
61 | + parent. | |
62 | + </para> | |
63 | + </listitem> | |
64 | + </varlistentry> | |
65 | + | |
66 | </variablelist> | |
67 | </refsect1> | |
68 | ||
69 | --- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400 | |
70 | +++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500 | |
71 | @@ -121,6 +121,14 @@ | |
72 | the restrictive mode of 000. Using this option, an administrator | |
73 | can choose to ignore the mode of the instance parent. | |
74 | ||
75 | + no_unmount_on_close | |
76 | + For certain trusted programs such as newrole, open session | |
77 | + is called from a child process while the parent perfoms | |
78 | + close session and pam end functions. For these commands | |
79 | + use this option to instruct pam_close_session to not | |
80 | + unmount the bind mounted polyinstantiated directory in the | |
81 | + parent. | |
82 | + | |
83 | MODULE SERVICES PROVIDED: | |
84 | session open_session and close_session | |
85 | ||
86 | --- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400 | |
87 | +++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500 | |
88 | @@ -86,6 +86,7 @@ | |
89 | #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ | |
90 | #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ | |
91 | #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ | |
92 | +#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ | |
93 | ||
94 | /* | |
95 | * Polyinstantiation method options, based on user, security context |