.\" Title: pam_namespace
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
-.\" Date: 06/21/2011
+.\" Date: 08/17/2012
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
-.TH "PAM_NAMESPACE" "8" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
+.TH "PAM_NAMESPACE" "8" "08/17/2012" "Linux-PAM Manual" "Linux-PAM Manual"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.SH "Synopsis"
.fam C
.HP \w'\fBpam_namespace\&.so\fR\ 'u
-\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context] [mount_private]
+\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [unmount_on_close] [use_current_context] [use_default_context] [mount_private]
.fam
.SH "DESCRIPTION"
.PP
Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&.
.RE
.PP
-\fBno_unmount_on_close\fR
+\fBunmount_on_close\fR
.RS 4
-For certain trusted programs such as newrole, open session is called from a child process while the parent performs close session and pam end functions\&. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\&.
+Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&.
.RE
.PP
\fBuse_current_context\fR
.RS 4
This option can be used on systems where the / mount point or its submounts are made shared (for example with a
\fBmount \-\-make\-rshared /\fR
-command)\&. The module will make the polyinstantiated directory mount points private\&. Normally the pam_namespace will try to detect the shared / mount point and make the polyinstantiated directories private automatically\&. This option has to be used just when only a subtree is shared and / is not\&.
+command)\&. The module will mark the whole directory tree so any mount and unmount operations in the polyinstantiation namespace are private\&. Normally the pam_namespace will try to detect the shared / mount point and make the polyinstantiated directories private automatically\&. This option has to be used just when only a subtree is shared and / is not\&.
+.sp
+Note that mounts and unmounts done in the private namespace will not affect the parent namespace if this option is used or when the shared / mount point is autodetected\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
projects / platform / upstream / pam.git / blobdiff