pam/pam-0.99.7.0-namespace-no-unmount.patch

--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount	2006-10-24 07:45:36.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c	2007-01-19 08:08:58.000000000 -0500
@@ -1266,12 +1266,30 @@
             idata.flags |= PAMNS_DEBUG;
         if (strcmp(argv[i], "ignore_config_error") == 0)
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
+        if (strcmp(argv[i], "no_unmount_on_close") == 0)
+            idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
     }
 
     if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
 
     /*
+     * For certain trusted programs such as newrole, open session
+     * is called from a child process while the parent perfoms
+     * close session and pam end functions. For these commands
+     * pam_close_session should not perform the unmount of the
+     * polyinstantiatied directory because it will result in
+     * undoing of parents polyinstantiatiaion. These commands
+     * will invoke pam_namespace with the "no_unmount_on_close"
+     * argument.
+     */
+    if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+	if (idata.flags & PAMNS_DEBUG)
+	    pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
+        return PAM_SUCCESS;
+    }
+
+    /* 
      * Lookup user and fill struct items
      */
     retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount	2006-06-27 09:07:44.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml	2007-01-19 07:45:02.000000000 -0500
@@ -43,6 +43,9 @@
       <arg choice="opt">
         ignore_instance_parent_mode
       </arg>
+      <arg choice="opt">
+        no_unmount_on_close
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -179,6 +182,22 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>no_unmount_on_close</option>
+        </term>
+        <listitem>
+          <para>
+           For certain trusted programs such as newrole, open session
+           is called from a child process while the parent perfoms
+           close session and pam end functions. For these commands
+           use this option to instruct pam_close_session to not
+           unmount the bind mounted polyinstantiated directory in the
+            parent.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount	2006-06-28 03:22:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml	2007-01-19 07:45:02.000000000 -0500
@@ -121,6 +121,14 @@
 	the restrictive mode of 000. Using this option, an administrator
 	can choose to ignore the mode of the instance parent.
 
+    no_unmount_on_close
+       For certain trusted programs such as newrole, open session
+       is called from a child process while the parent perfoms
+       close session and pam end functions. For these commands
+       use this option to instruct pam_close_session to not
+       unmount the bind mounted polyinstantiated directory in the
+       parent.
+
 MODULE SERVICES PROVIDED:
 	session            open_session and close_session
 
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount	2006-07-28 07:59:28.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h	2007-01-19 07:45:02.000000000 -0500
@@ -86,6 +86,7 @@
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
 #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
+#define PAMNS_NO_UNMOUNT_ON_CLOSE  0x00010000 /* no unmount at session close */
 
 /*
  * Polyinstantiation method options, based on user, security context
- upgrade to new upstream version - drop pam_stack module as it is obsolete - some changes to silence rpmlint 2007-01-19 17:42:21 +00:00			`--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400`
			`+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500`
			`@@ -1266,12 +1266,30 @@`
			`idata.flags \|= PAMNS_DEBUG;`
			`if (strcmp(argv[i], "ignore_config_error") == 0)`
			`idata.flags \|= PAMNS_IGN_CONFIG_ERR;`
			`+ if (strcmp(argv[i], "no_unmount_on_close") == 0)`
			`+ idata.flags \|= PAMNS_NO_UNMOUNT_ON_CLOSE;`
			`}`

			`if (idata.flags & PAMNS_DEBUG)`
			`pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");`

			`/*`
			`+ * For certain trusted programs such as newrole, open session`
			`+ * is called from a child process while the parent perfoms`
			`+ * close session and pam end functions. For these commands`
			`+ * pam_close_session should not perform the unmount of the`
			`+ * polyinstantiatied directory because it will result in`
			`+ * undoing of parents polyinstantiatiaion. These commands`
			`+ * will invoke pam_namespace with the "no_unmount_on_close"`
			`+ * argument.`
			`+ */`
			`+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {`
			`+ if (idata.flags & PAMNS_DEBUG)`
			`+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");`
			`+ return PAM_SUCCESS;`
			`+ }`
			`+`
			`+ /*`
			`* Lookup user and fill struct items`
			`*/`
			`retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );`
			`--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400`
			`+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500`
			`@@ -43,6 +43,9 @@`
			`<arg choice="opt">`
			`ignore_instance_parent_mode`
			`</arg>`
			`+ <arg choice="opt">`
			`+ no_unmount_on_close`
			`+ </arg>`
			`</cmdsynopsis>`
			`</refsynopsisdiv>`

			`@@ -179,6 +182,22 @@`
			`</listitem>`
			`</varlistentry>`

			`+ <varlistentry>`
			`+ <term>`
			`+ <option>no_unmount_on_close</option>`
			`+ </term>`
			`+ <listitem>`
			`+ <para>`
			`+ For certain trusted programs such as newrole, open session`
			`+ is called from a child process while the parent perfoms`
			`+ close session and pam end functions. For these commands`
			`+ use this option to instruct pam_close_session to not`
			`+ unmount the bind mounted polyinstantiated directory in the`
			`+ parent.`
			`+ </para>`
			`+ </listitem>`
			`+ </varlistentry>`
			`+`
			`</variablelist>`
			`</refsect1>`

			`--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400`
			`+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500`
			`@@ -121,6 +121,14 @@`
			`the restrictive mode of 000. Using this option, an administrator`
			`can choose to ignore the mode of the instance parent.`

			`+ no_unmount_on_close`
			`+ For certain trusted programs such as newrole, open session`
			`+ is called from a child process while the parent perfoms`
			`+ close session and pam end functions. For these commands`
			`+ use this option to instruct pam_close_session to not`
			`+ unmount the bind mounted polyinstantiated directory in the`
			`+ parent.`
			`+`
			`MODULE SERVICES PROVIDED:`
			`session open_session and close_session`

			`--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400`
			`+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500`
			`@@ -86,6 +86,7 @@`
			`#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */`
			`#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */`
			`#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */`
			`+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */`

			`/*`
			`* Polyinstantiation method options, based on user, security context`