The website Ops team noticed awhile back that the SCM loopback mounts[1] were not going away as expected on the opensolaris.org servers. We eventually tracked this down to a change in behavior in sshd, such that our PAM session-close code runs as the SCM user, not root[2]. Our understanding is that we are unlikely to see the old behavior from sshd any time soon.
After some discussion with the Ops team, I've been working on a workaround. The idea is to give users mount/unmount privileges by putting this entry in /etc/user_attr: <user>::::type=normal;defaultpriv=basic,sys_mount This will let the session-close code run as the user. We think this is reasonably secure, in that any potential exploits would be limited to inside the user's chroot environment. Does this sound okay? thanks, mike Footnotes: [1] http://www.opensolaris.org/os/community/tools/scm/scmhostspec/ [2] http://blogs.sun.com/kupfer/entry/unwanted_mounts _______________________________________________ tools-discuss mailing list tools-discuss@opensolaris.org
