[packages/pam.git] / pam-namespace-no-unmount.patch

--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount	2006-10-24 07:45:36.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c	2007-01-19 08:08:58.000000000 -0500
@@ -1266,12 +1266,30 @@
             idata.flags |= PAMNS_DEBUG;
         if (strcmp(argv[i], "ignore_config_error") == 0)
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
+        if (strcmp(argv[i], "no_unmount_on_close") == 0)
+            idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
     }
 
     if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
 
     /*
+     * For certain trusted programs such as newrole, open session
+     * is called from a child process while the parent perfoms
+     * close session and pam end functions. For these commands
+     * pam_close_session should not perform the unmount of the
+     * polyinstantiatied directory because it will result in
+     * undoing of parents polyinstantiatiaion. These commands
+     * will invoke pam_namespace with the "no_unmount_on_close"
+     * argument.
+     */
+    if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+	if (idata.flags & PAMNS_DEBUG)
+	    pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
+        return PAM_SUCCESS;
+    }
+
+    /* 
      * Lookup user and fill struct items
      */
     retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount	2006-06-27 09:07:44.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml	2007-01-19 07:45:02.000000000 -0500
@@ -43,6 +43,9 @@
       <arg choice="opt">
         ignore_instance_parent_mode
       </arg>
+      <arg choice="opt">
+        no_unmount_on_close
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -179,6 +182,22 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>no_unmount_on_close</option>
+        </term>
+        <listitem>
+          <para>
+           For certain trusted programs such as newrole, open session
+           is called from a child process while the parent perfoms
+           close session and pam end functions. For these commands
+           use this option to instruct pam_close_session to not
+           unmount the bind mounted polyinstantiated directory in the
+            parent.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount	2006-06-28 03:22:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml	2007-01-19 07:45:02.000000000 -0500
@@ -121,6 +121,14 @@
 	the restrictive mode of 000. Using this option, an administrator
 	can choose to ignore the mode of the instance parent.
 
+    no_unmount_on_close
+       For certain trusted programs such as newrole, open session
+       is called from a child process while the parent perfoms
+       close session and pam end functions. For these commands
+       use this option to instruct pam_close_session to not
+       unmount the bind mounted polyinstantiated directory in the
+       parent.
+
 MODULE SERVICES PROVIDED:
 	session            open_session and close_session
 
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount	2006-07-28 07:59:28.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h	2007-01-19 07:45:02.000000000 -0500
@@ -86,6 +86,7 @@
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
 #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
+#define PAMNS_NO_UNMOUNT_ON_CLOSE  0x00010000 /* no unmount at session close */
 
 /*
  * Polyinstantiation method options, based on user, security context
Commit	Line	Data
83f626c2 JR	1	--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400
	2	+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500
	3	@@ -1266,12 +1266,30 @@
	4	idata.flags \|= PAMNS_DEBUG;
	5	if (strcmp(argv[i], "ignore_config_error") == 0)
	6	idata.flags \|= PAMNS_IGN_CONFIG_ERR;
	7	+ if (strcmp(argv[i], "no_unmount_on_close") == 0)
	8	+ idata.flags \|= PAMNS_NO_UNMOUNT_ON_CLOSE;
	9	}
	10
	11	if (idata.flags & PAMNS_DEBUG)
	12	pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
	13
	14	/*
	15	+ * For certain trusted programs such as newrole, open session
	16	+ * is called from a child process while the parent perfoms
	17	+ * close session and pam end functions. For these commands
	18	+ * pam_close_session should not perform the unmount of the
	19	+ * polyinstantiatied directory because it will result in
	20	+ * undoing of parents polyinstantiatiaion. These commands
	21	+ * will invoke pam_namespace with the "no_unmount_on_close"
	22	+ * argument.
	23	+ */
	24	+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
	25	+ if (idata.flags & PAMNS_DEBUG)
	26	+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
	27	+ return PAM_SUCCESS;
	28	+ }
	29	+
	30	+ /*
	31	* Lookup user and fill struct items
	32	*/
	33	retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
	34	--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400
	35	+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500
	36	@@ -43,6 +43,9 @@
	37	<arg choice="opt">
	38	ignore_instance_parent_mode
	39	</arg>
	40	+ <arg choice="opt">
	41	+ no_unmount_on_close
	42	+ </arg>
	43	</cmdsynopsis>
	44	</refsynopsisdiv>
	45
	46	@@ -179,6 +182,22 @@
	47	</listitem>
	48	</varlistentry>
	49
	50	+ <varlistentry>
	51	+ <term>
	52	+ <option>no_unmount_on_close</option>
	53	+ </term>
	54	+ <listitem>
	55	+ <para>
	56	+ For certain trusted programs such as newrole, open session
	57	+ is called from a child process while the parent perfoms
	58	+ close session and pam end functions. For these commands
	59	+ use this option to instruct pam_close_session to not
	60	+ unmount the bind mounted polyinstantiated directory in the
	61	+ parent.
	62	+ </para>
	63	+ </listitem>
	64	+ </varlistentry>
65	+
66	</variablelist>
67	</refsect1>
68
69	--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400
70	+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500
71	@@ -121,6 +121,14 @@
72	the restrictive mode of 000. Using this option, an administrator
73	can choose to ignore the mode of the instance parent.
74
75	+ no_unmount_on_close
76	+ For certain trusted programs such as newrole, open session
77	+ is called from a child process while the parent perfoms
78	+ close session and pam end functions. For these commands
79	+ use this option to instruct pam_close_session to not
80	+ unmount the bind mounted polyinstantiated directory in the
81	+ parent.
82	+
83	MODULE SERVICES PROVIDED:
84	session open_session and close_session
85
86	--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400
87	+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500
88	@@ -86,6 +86,7 @@
89	#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
90	#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
91	#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
92	+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
93
94	/*
95	* Polyinstantiation method options, based on user, security context