-
Notifications
You must be signed in to change notification settings - Fork 0
Provide per-user private directories under /tmp as part of PAM session or account management
License
openwall/pam_mktemp
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
pam_mktemp is a PAM module that may be used with a PAM-aware login service to provide per-user private directories under /tmp as part of PAM session or account management. When an interactive (shell) session is started, a directory is created and the environment variables TMPDIR and TMP are set to the name of the directory. According to some "out of the box" SELinux policies, /tmp/.private and /tmp/.private/USER directories created by this module running from processes like login and sshd would inherit a login process context instead of /tmp directory or user context. As a result, user processes would have problems creating files in such "login-owned" directories. When the module is built with SELinux support ("make USE_SELINUX=1"), it creates directories in the proper context. Please note that there's a security risk of using pam_mktemp along with tmpwatch(8) and maybe with some other "/tmp cleaners", but stmpclean(8) is known to be safe. If you must use a "/tmp cleaner" that exposes the problem (although you'd better not), this risk may be avoided by enabling pam_mktemp's USE_APPEND_FL compile-time setting ("make USE_APPEND_FL=1") _and_ keeping /tmp on an ext2, ext3, or ext4 filesystem. Please refer to comments in pam_mktemp.c for more detail on the issue. Once again, it is better to switch to using a "/tmp cleaner" that does not expose the problem. $Owl: Owl/packages/pam_mktemp/pam_mktemp/README,v 1.2 2010/09/17 22:24:36 solar Exp $
About
Provide per-user private directories under /tmp as part of PAM session or account management