pam-netns is a PAM Module to allow each user having its own network namespace analogous to pam-namespace.
apt-get update && apt-get install build-essentials libpam0g-dev libcap-dev gettext
apt-get update && apt-get install gettext indent doxygen
make all
make install
make doc
make po
pam_netns.so is especially useful on systems used by more than one user concurrently e.g. terminal servers or multiseat systems. If you intend to setup the whole user session as new network namespace and you want to mount USB devices, you MUST use the patches in the subdirectory "patches" to allow opening the af_unix sockets if you have a kernel version < 2.6.36. Since kernel version 2.6.36 the patch is no longer required because it is integrated into the kernel.
Till now pam-netns only allows one level login, which means that if a user is logged in and has its namespace this user can't start a second session in his namespace.
debug
unshare_fs
shm_del
before_script=<path>
after_script=<path>
setup_script=<path>
helper=<path>
affect_root
# /etc/pam.d/login # ... session optional pam_mail.so standard # Standard Un*x account and session @include common-account session required pam_netns.so @include common-session #...
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_gnome_keyring.so @include common-account session required pam_limits.so @include common-session session required pam_netns.so session optional pam_gnome_keyring.so auto_start @include common-password
# # /etc/pam.d/kdm - specify the PAM behaviour of kdm # auth required pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth session required pam_limits.so @include common-account @include common-password @include common-session session required pam_netns.so
You should not add this module to common-session because there are some services which should not be affected by this module e.g. su, sudo.
One can use newnetns to start /bin/bash in a new network namespace (need CAP_SYS_ADMIN)
# newnetns debug=7 # ifconfig -a should show something like: # ifconfig lo Link encap:Lokale Schleife inet Adresse:127.0.0.1 Maske:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ns36051 Link encap:Ethernet Hardware Adresse ba:1a:79:9c:3d:3e inet Adresse:192.168.253.3 Bcast:192.168.253.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX bytes:983 (983.0 B) TX bytes:0 (0.0 B)