是否可以将 SSH 用户限制在登录时的新挂载命名空间中?

是否可以将 SSH 用户限制在登录时的新挂载命名空间中?

当前,通过 SSH 登录到我们的共享服务器的用户始终进入根挂载命名空间,例如,这允许所有用户查看同一个/var/tmp目录,使其成为由所有用户共享的争用资源(如果 /var/tmp 不是唯一的文件系统,则为根文件系统)。

使用 systemd,可以轻松地将服务(或服务实例)配置为唯一的挂载命名空间,例如,为它们提供该服务/会话所独有的私有(tmpfs)/var/tmp。

有没有一种好的方法可以为用户做类似的事情 - 例如,在登录时,用户将拥有一个新的挂载命名空间设置,其中他们/var/tmp实际上(例如)有一个符号链接/srv/vartempfs/$UID?我猜这必须是每个用户一个挂载命名空间,以确保到同一台服务器的两个会话共享相同的“/var/tmp”。

答案1

事实证明这非常简单,尤其是对于 /var/tmp。在 RHEL 派生系统(例如 CentOS 7)上,只需取消注释以下行即可实现此目的/etc/security/namespace.conf

# /etc/security/namespace.conf
#
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
# be polyinstantiated based on the MLS level part of the security context as well as user
# name, Polyinstantion will not be performed for user root and adm for directories
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
# will be created in /tmp-inst directory, where as instances of /var/tmp
# and users home directories will reside within the directories that
# are being polyinstantiated.
#
# Instance parent directories must exist for the polyinstantiation
# mechanism to work. By default, they should be created with the mode
# of 000. pam_namespace module will enforce this mode unless it
# is explicitly called with an argument to ignore the mode of the
# instance parent. System administrators should use this argument with
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
#/tmp     /tmp-inst/        level      root,adm
#/var/tmp /var/tmp/tmp-inst/    level      root,adm
#$HOME    $HOME/$USER.inst/     level

感谢@larsks感谢你指点我pam_namespace

相关内容