diff options
Diffstat (limited to 'modules/pam_namespace/README')
| -rw-r--r-- | modules/pam_namespace/README | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index fbc1a1b..1bdbea8 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -68,12 +68,14 @@ ignore_instance_parent_mode will reduce security and isolation goals of the polyinstantiation mechanism. -no_unmount_on_close +unmount_on_close - For certain trusted programs such as newrole, open session is called from a - child process while the parent performs close session and pam end - functions. For these commands use this option to instruct pam_close_session - to not unmount the bind mounted polyinstantiated directory in the parent. + Explicitly unmount the polyinstantiated directories instead of relying on + automatic namespace destruction after the last process in a namespace + exits. This option should be used only in case it is ensured by other means + that there cannot be any processes running in the private namespace left + after the session close. It is also useful only in case there are multiple + pam session calls in sequence from the same process. use_current_context @@ -91,10 +93,15 @@ mount_private This option can be used on systems where the / mount point or its submounts are made shared (for example with a mount --make-rshared / command). The - module will make the polyinstantiated directory mount points private. - Normally the pam_namespace will try to detect the shared / mount point and - make the polyinstantiated directories private automatically. This option - has to be used just when only a subtree is shared and / is not. + module will mark the whole directory tree so any mount and unmount + operations in the polyinstantiation namespace are private. Normally the + pam_namespace will try to detect the shared / mount point and make the + polyinstantiated directories private automatically. This option has to be + used just when only a subtree is shared and / is not. + + Note that mounts and unmounts done in the private namespace will not affect + the parent namespace if this option is used or when the shared / mount + point is autodetected. DESCRIPTION |