The pam-netns PAM module.

0.1

Author:
Prof. Dr.-Ing. Wilhelm Meier
Julian Thome
Date:
10.11.2010
logo.png
gpl.png

ToC

  1. What is pam_netns ?
  2. Quick Install (on Debian-like systems)
  3. Usage
  4. Limitations
  5. Options
  6. Configuration file
    1. Sample-pam-configuration for login
    2. Sample-pam-configuration for gdm
      1. Sample-pam-configuration for kdm
      2. Hints
  7. Testing

What is pam_netns ?

pam-netns is a PAM Module to allow each user having its own network namespace analogous to pam-namespace.

Quick Install (on Debian-like systems)

  1. Kernel-Patch [optional] Use the files in the patches/ directory. These patches are written by Daniel Lezcano. and eliminates the setup of af_unix-proxies between the parent namespace and the new child namespace. This patch is only required under the assumption that you use a kernel version < 2.6.36
  2. Installation of required packages for compilation. 
    apt-get update && apt-get install build-essentials libpam0g-dev libcap-dev gettext
  3. Installation of additional packages that are not required for compilation. 
    apt-get update && apt-get install gettext indent doxygen
  4. Build the module 
    make all
  5. Install the module 
    make install
  6. Build the code documentation 
    make doc
  7. Build a new gettext file 
    make po

Usage

pam_netns.so is especially useful on systems used by more than one user concurrently e.g. terminal servers or multiseat systems. If you intend to setup the whole user session as new network namespace and you want to mount USB devices, you MUST use the patches in the subdirectory "patches" to allow opening the af_unix sockets if you have a kernel version < 2.6.36. Since kernel version 2.6.36 the patch is no longer required because it is integrated into the kernel.

Limitations

Till now pam-netns only allows one level login, which means that if a user is logged in and has its namespace this user can't start a second session in his namespace.

Options

  1. debug
    Log debug information (usually) to /var/log/auth.log
  2. unshare_fs
    This option is needed to unshare the fs in child ns.
  3. shm_del
    Delete shm file after closing session.
  4. before_script=<path>
    Path of script which will be executed before unshare syscall. You should specify it only for testing purposes the standard script is sufficient.
  5. after_script=<path>
    Path of script which will be executed after unshare syscall. You should specify it only for testing purposes the standard script is sufficient.
  6. setup_script=<path>
    Path of script which will be executed to setup network. You should specify it only for testing purposes the standard script is sufficient.
  7. helper=<path>
    Path of pam-netns-helper which is used to keep everything in sync. You should specify it only for testing purposes the standard helper is sufficient.
  8. affect_root
    Use that flag if you want the superuser be affected by this module. Per default no new network namespace is created for superuser. For more option information look at parse_options.[c|h].

Configuration file

Sample-pam-configuration for login

# /etc/pam.d/login
# ...

session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
session required        pam_netns.so 
@include common-session
#...

Sample-pam-configuration for gdm

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session required        pam_netns.so 
session optional        pam_gnome_keyring.so auto_start
@include common-password

Sample-pam-configuration for kdm

#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#
auth       required     pam_nologin.so
auth       required     pam_env.so readenv=1
auth       required     pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
session    required     pam_limits.so
@include common-account
@include common-password
@include common-session
session required        pam_netns.so

Hints

You should not add this module to common-session because there are some services which should not be affected by this module e.g. su, sudo.

Testing

One can use newnetns to start /bin/bash in a new network namespace (need CAP_SYS_ADMIN) 

# newnetns debug=7
# ifconfig -a
should show something like:

# ifconfig
lo          Link encap:Lokale Schleife
            inet Adresse:127.0.0.1  Maske:255.0.0.0
            UP LOOPBACK RUNNING  MTU:16436  Metrik:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            Kollisionen:0 Sendewarteschlangenlänge:0
            RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ns36051     Link encap:Ethernet  Hardware Adresse ba:1a:79:9c:3d:3e
            inet Adresse:192.168.253.3  Bcast:192.168.253.255  Maske:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
            RX packets:5 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            Kollisionen:0 Sendewarteschlangenlänge:1000
            RX bytes:983 (983.0 B)  TX bytes:0 (0.0 B)
Generated on Thu Dec 2 2010 13:12:28 for pam_netns by  doxygen 1.7.1