Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/openwall/pam_mktemp

Provide per-user private directories under /tmp as part of PAM session or account management
https://github.com/openwall/pam_mktemp

directory module pam temporary tmpdir

Last synced: 7 months ago
JSON representation

Provide per-user private directories under /tmp as part of PAM session or account management

Awesome Lists containing this project

README 

          
pam_mktemp is a PAM module that may be used with a PAM-aware login

service to provide per-user private directories under /tmp as part

of PAM session or account management.



When an interactive (shell) session is started, a directory is created

and the environment variables TMPDIR and TMP are set to the name of

the directory.



According to some "out of the box" SELinux policies, /tmp/.private and

/tmp/.private/USER directories created by this module running from

processes like login and sshd would inherit a login process context

instead of /tmp directory or user context.  As a result, user processes

would have problems creating files in such "login-owned" directories.

When the module is built with SELinux support ("make USE_SELINUX=1"), it

creates directories in the proper context.



Please note that there's a security risk of using pam_mktemp along with

tmpwatch(8) and maybe with some other "/tmp cleaners", but stmpclean(8)

is known to be safe.  If you must use a "/tmp cleaner" that exposes the

problem (although you'd better not), this risk may be avoided by

enabling pam_mktemp's USE_APPEND_FL compile-time setting

("make USE_APPEND_FL=1") _and_ keeping /tmp on an ext2, ext3, or ext4

filesystem.  Please refer to comments in pam_mktemp.c for more detail on

the issue.  Once again, it is better to switch to using a "/tmp cleaner"

that does not expose the problem.



$Owl: Owl/packages/pam_mktemp/pam_mktemp/README,v 1.2 2010/09/17 22:24:36 solar Exp $