From: Dwight Engen <dwight.engen@oracle.com>
Date: Mon, 18 Nov 2013 17:28:31 +0000 (-0500)
Subject: oracle template: fix pam login failures under user namespace
X-Git-Tag: lxc-1.0.0.beta1~132
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eff9177f716b3f8ea9058c2f54b604396490da2e;p=thirdparty%2Flxc.git

oracle template: fix pam login failures under user namespace

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index e86f26142..8770e70da 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -72,6 +72,10 @@ container_rootfs_configure()
     fi
     sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login
     sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
+
+    # setting /proc/$$/loginuid doesn't work under user namespace, which
+    # prevents logins from working
+    sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd
     sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/login
 
     if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
@@ -83,6 +87,11 @@ container_rootfs_configure()
     sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.sysinit
     sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
 
+    # on ol4 pam_limits prevents logins when using user namespaces
+    if [ $container_release_major = "4" ]; then
+        sed -i 's|session[ \t]*required[ \t]*/lib/security/\$ISA/pam_limits.so|#session required /lib/security/$ISA/pam_limits.so|' $container_rootfs/etc/pam.d/system-auth
+    fi
+
     # configure the network to use dhcp. we set DHCP_HOSTNAME so the guest
     # will report its name and be resolv'able by the hosts dnsmasq
     cat <<EOF > $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0