[redhat-lspp] Some enhancements for pam_namespace

Tomas Mraz tmraz at redhat.com
Tue Jun 5 07:38:08 UTC 2007


On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote:
> On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote:
> > I've implemented some enhancements for pam_namespace which can be used
> > for temporary logons. These enhancements were proposed by Dan Walsh.
> > Please review if you're interested.
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226
> > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825
> 
> I like the functionality, but I'm starting to think that pam_namespace
> may get too complex if too many special cases get added. Rather than
> implementing a complex ad-hoc language for the namespace conf file, would
> it make sense to provide the option of calling an external script, giving
> it username and context etc. as arguments, and using its output as a list
> of namespace configurations?
> 
> That way, you could keep policy decisions in the script.
That would help just with the ~xguest part of the enhancements but this
change is really simple and doesn't affect much of the code. 

However the temp dir part must be handled in the module directly. The
only change could be instead of calling 'rm -rf' directly to call
something like namespace.remove script. But as the only logical thing is
to remove the temporary directory anyway I don't think it is worth the
hassle.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the fedora-selinux-list mailing list