summaryrefslogtreecommitdiff
path: root/modules/pam_namespace/pam_namespace.8.xml
diff options
context:
space:
mode:
authorTomas Mraz <tmraz@fedoraproject.org>2012-01-26 14:50:51 +0100
committerTomas Mraz <tmraz@fedoraproject.org>2012-01-26 14:50:51 +0100
commit17a3f6715591b215a7fdd3127db4abe70ff26381 (patch)
tree50ad0a5191987b9cb366b55dffc5b7e048d01729 /modules/pam_namespace/pam_namespace.8.xml
parentd5a261b8be2035bbf49726eb7ac792ee6d5a22d1 (diff)
Do not unmount anything by default in pam_namespace close session call.
* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize the unmount_on_close option and make the default to be to not unmount. * modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to PAMNS_UNMOUNT_ON_CLOSE. * modules/pam_namespace/pam_namespace.8.xml: Document the change.
Diffstat (limited to 'modules/pam_namespace/pam_namespace.8.xml')
-rw-r--r--modules/pam_namespace/pam_namespace.8.xml17
1 files changed, 9 insertions, 8 deletions
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 6ec3ad23..f0f80d33 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -44,7 +44,7 @@
ignore_instance_parent_mode
</arg>
<arg choice="opt">
- no_unmount_on_close
+ unmount_on_close
</arg>
<arg choice="opt">
use_current_context
@@ -195,16 +195,17 @@
<varlistentry>
<term>
- <option>no_unmount_on_close</option>
+ <option>unmount_on_close</option>
</term>
<listitem>
<para>
- For certain trusted programs such as newrole, open session
- is called from a child process while the parent performs
- close session and pam end functions. For these commands
- use this option to instruct pam_close_session to not
- unmount the bind mounted polyinstantiated directory in the
- parent.
+ Explicitly unmount the polyinstantiated directories instead
+ of relying on automatic namespace destruction after the last
+ process in a namespace exits. This option should be used
+ only in case it is ensured by other means that there cannot be
+ any processes running in the private namespace left after the
+ session close. It is also useful only in case there are
+ multiple pam session calls in sequence from the same process.
</para>
</listitem>
</varlistentry>