diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-11-23 16:09:56 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-11-27 10:45:27 +0100 |
| commit | 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 (patch) | |
| tree | 9f6879a1aaa517bc86bb27afa75b2cc8fc53ad6a /src/login | |
| parent | 9efb224443d819b7d64ec76cb94c8aa625a8abf2 (diff) | |
| download | systemd-0ef48896d9f23b9fd547a532a4e6e6b8f8b12901.tar.gz | |
pam: add a call to pam_namespace
A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes #17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
Diffstat (limited to 'src/login')
| -rw-r--r-- | src/login/systemd-user.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in index d5597d28cb..06f7e36458 100644 --- a/src/login/systemd-user.in +++ b/src/login/systemd-user.in @@ -15,6 +15,7 @@ session required pam_selinux.so nottys open {% endif %} session required pam_loginuid.so session optional pam_keyinit.so force revoke +session required pam_namespace.so {% if ENABLE_HOMED %} -session optional pam_systemd_home.so {% endif %} |