Diffstat (limited to 'modules/pam_namespace/pam_namespace.8.xml')
1 files changed, 17 insertions, 10 deletions
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 48021c80..f0f80d33 100644
@@ -44,7 +44,7 @@
@@ -195,16 +195,17 @@
- For certain trusted programs such as newrole, open session
- is called from a child process while the parent performs
- close session and pam end functions. For these commands
- use this option to instruct pam_close_session to not
- unmount the bind mounted polyinstantiated directory in the
+ Explicitly unmount the polyinstantiated directories instead
+ of relying on automatic namespace destruction after the last
+ process in a namespace exits. This option should be used
+ only in case it is ensured by other means that there cannot be
+ any processes running in the private namespace left after the
+ session close. It is also useful only in case there are
+ multiple pam session calls in sequence from the same process.
@@ -246,12 +247,18 @@
This option can be used on systems where the / mount point or
its submounts are made shared (for example with a
<command>mount --make-rshared /</command> command).
- The module will make the polyinstantiated directory mount points
- private. Normally the pam_namespace will try to detect the
+ The module will mark the whole directory tree so any mount and
+ unmount operations in the polyinstantiation namespace are private.
+ Normally the pam_namespace will try to detect the
shared / mount point and make the polyinstantiated directories
private automatically. This option has to be used just when
only a subtree is shared and / is not.
+ Note that mounts and unmounts done in the private namespace will not
+ affect the parent namespace if this option is used or when the
+ shared / mount point is autodetected.