Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-129833

Request to support group names in `/etc/security/namespace.conf` for namespace-based virtualization of user directories (e.g., `/tmp)`.

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.0.0.z
    • pam
    • None
    • None
    • Low
    • rhel-idm-zta
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      The customer uses `/etc/security/namespace.conf` to virtualize user-specific directories, specifically `/tmp`.

      Current example:

      ~~~

      /tmp    /tmp/tmp-inst/    level    root

      ~~~

      -----------------------

      To allow selected users to access their own virtualized /tmp, the customer must explicitly list each username:

      ~~~

      /tmp    /tmp/tmp-inst/    level    root,user1,user2

      ~~~

      The customer requests the ability to specify group names (e.g., `@admins`) so that all group members can access and monitor the non-virtualized underlying `/tmp`

      ----------------------------------------------------------------------------------------------------------------------

      Problem Statement 

       

      • Users store large files in their private `/tmp,` creating significant disk usage.
      • Administrators need to inspect and monitor these virtual directories.
      • Current namespace behavior:
      1.  Only users explicitly listed can access their virtualized /tmp.
      2.  Group names cannot be used, forcing admin teams to maintain long lists of individual usernames.
      3. `su` to root does not bypass namespaces due to inherited SELinux attributes.
      4. Only a direct SSH or console login as root reveals the real (non-virtualized) `/tmp`.

      This creates operational complexity and prevents efficient monitoring.

      -------------------------------------------------------------------------------------------------------------------

      Customer requirement:

      The customer requests the ability to specify UNIX/Linux group names (e.g., @admins) in /etc/security/namespace.conf so that all users in that group can access and inspect the non-virtualized underlying /tmp.

      Example of the requested syntax:

      ~~~

      /tmp    /tmp/tmp-inst/    level    root,@admins

      ~~~

      Goals

      • Allow admin groups to review disk usage in the underlying `/tmp `directories.
      • Avoid maintaining long lists of individual usernames.
      • Improve manageability, visibility, and operational efficiency around namespace-based directory virtualization.
      • Align namespace access control with traditional UNIX group-based permission patterns.

      ------------------------------

      Requested Enhancement

      Add support for group entries in `/etc/security/namespace.conf` for pam_namespace so that administrators can more easily manage and monitor namespace-isolated directories.

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-dipatil Dipti Patil
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: