[lxc-devel] [PATCH 4/4] oracle template: fix pam login failures under user namespace

Mon, 18 Nov 2013 09:30:45 -0800 

Signed-off-by: Dwight Engen <[email protected]>
---
 templates/lxc-oracle.in | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index e86f261..8770e70 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -72,6 +72,10 @@ container_rootfs_configure()
     fi
     sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session 
required pam_selinux.so close|' $container_rootfs/etc/pam.d/login
     sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session 
required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
+
+    # setting /proc/$$/loginuid doesn't work under user namespace, which
+    # prevents logins from working
+    sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required 
pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd
     sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required 
pam_loginuid.so|' $container_rootfs/etc/pam.d/login
 
     if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
@@ -83,6 +87,11 @@ container_rootfs_configure()
     sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 
2>/dev/null|' $container_rootfs/etc/rc.sysinit
     sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 
2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
 
+    # on ol4 pam_limits prevents logins when using user namespaces
+    if [ $container_release_major = "4" ]; then
+        sed -i 's|session[ \t]*required[ 
\t]*/lib/security/\$ISA/pam_limits.so|#session required 
/lib/security/$ISA/pam_limits.so|' $container_rootfs/etc/pam.d/system-auth
+    fi
+
     # configure the network to use dhcp. we set DHCP_HOSTNAME so the guest
     # will report its name and be resolv'able by the hosts dnsmasq
     cat <<EOF > $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0
-- 
1.8.3.1


------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to