--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500
@@ -1266,12 +1266,30 @@
idata.flags |= PAMNS_DEBUG;
if (strcmp(argv[i], "ignore_config_error") == 0)
idata.flags |= PAMNS_IGN_CONFIG_ERR;
+ if (strcmp(argv[i], "no_unmount_on_close") == 0)
+ idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
}
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
/*
+ * For certain trusted programs such as newrole, open session
+ * is called from a child process while the parent perfoms
+ * close session and pam end functions. For these commands
+ * pam_close_session should not perform the unmount of the
+ * polyinstantiatied directory because it will result in
+ * undoing of parents polyinstantiatiaion. These commands
+ * will invoke pam_namespace with the "no_unmount_on_close"
+ * argument.
+ */
+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+ if (idata.flags & PAMNS_DEBUG)
+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
+ return PAM_SUCCESS;
+ }
+
+ /*
* Lookup user and fill struct items
*/
retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500
@@ -43,6 +43,9 @@
ignore_instance_parent_mode
+
+ no_unmount_on_close
+
@@ -179,6 +182,22 @@
+
+
+
+
+
+
+ For certain trusted programs such as newrole, open session
+ is called from a child process while the parent perfoms
+ close session and pam end functions. For these commands
+ use this option to instruct pam_close_session to not
+ unmount the bind mounted polyinstantiated directory in the
+ parent.
+
+
+
+
--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500
@@ -121,6 +121,14 @@
the restrictive mode of 000. Using this option, an administrator
can choose to ignore the mode of the instance parent.
+ no_unmount_on_close
+ For certain trusted programs such as newrole, open session
+ is called from a child process while the parent perfoms
+ close session and pam end functions. For these commands
+ use this option to instruct pam_close_session to not
+ unmount the bind mounted polyinstantiated directory in the
+ parent.
+
MODULE SERVICES PROVIDED:
session open_session and close_session
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500
@@ -86,6 +86,7 @@
#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
/*
* Polyinstantiation method options, based on user, security context