Imported from /home/lorry/working-area/delta_linux-pam/Linux-PAM-1.1.8.tar.bz2.HEAD Linux-PAM-1.1.8 master

author: Lorry Tar Creator <lorry-tar-importer@baserock.org> 2013-09-19 09:33:00 +0000
committer: <> 2014-11-13 09:36:22 +0000
commit: b1521c97e73b10469f7b34c0571d51c647eca83c (patch)
tree: 212a6a00baa11e9d0ca7bc27b12420d1dce6f07c /modules/pam_namespace/pam_namespace.8.xml
parent: 6e36ca00ed774a7c5b2f2322c96b023999b733a4 (diff)
download: linux-pam-b1521c97e73b10469f7b34c0571d51c647eca83c.tar.gz
1 files changed, 17 insertions, 10 deletions
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 48021c8..f0f80d3 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -44,7 +44,7 @@
         ignore_instance_parent_mode
       </arg>
       <arg choice="opt">
-        no_unmount_on_close
+        unmount_on_close
       </arg>
       <arg choice="opt">
         use_current_context
@@ -195,16 +195,17 @@
 
       <varlistentry>
         <term>
-          <option>no_unmount_on_close</option>
+          <option>unmount_on_close</option>
         </term>
         <listitem>
           <para>
-           For certain trusted programs such as newrole, open session
-           is called from a child process while the parent performs
-           close session and pam end functions. For these commands
-           use this option to instruct pam_close_session to not
-           unmount the bind mounted polyinstantiated directory in the
-            parent.
+           Explicitly unmount the polyinstantiated directories instead
+           of relying on automatic namespace destruction after the last
+           process in a namespace exits. This option should be used
+           only in case it is ensured by other means that there cannot be
+           any processes running in the private namespace left after the
+           session close. It is also useful only in case there are
+           multiple pam session calls in sequence from the same process.
           </para>
         </listitem>
       </varlistentry>
@@ -246,12 +247,18 @@
 	    This option can be used on systems where the / mount point or
 	    its submounts are made shared (for example with a
 	    <command>mount --make-rshared /</command> command).
-	    The module will make the polyinstantiated directory mount points
-	    private. Normally the pam_namespace will try to detect the
+	    The module will mark the whole directory tree so any mount and
+	    unmount operations in the polyinstantiation namespace are private.
+	    Normally the pam_namespace will try to detect the
 	    shared / mount point and make the polyinstantiated directories
 	    private automatically. This option has to be used just when
 	    only a subtree is shared and / is not.
           </para>
+          <para>
+	    Note that mounts and unmounts done in the private namespace will not
+	    affect the parent namespace if this option is used or when the
+	    shared / mount point is autodetected.
+          </para>
         </listitem>
       </varlistentry>
author	Lorry Tar Creator <lorry-tar-importer@baserock.org>	2013-09-19 09:33:00 +0000
committer	<>	2014-11-13 09:36:22 +0000
commit	b1521c97e73b10469f7b34c0571d51c647eca83c (patch)
tree	212a6a00baa11e9d0ca7bc27b12420d1dce6f07c /modules/pam_namespace/pam_namespace.8.xml
parent	6e36ca00ed774a7c5b2f2322c96b023999b733a4 (diff)
download	linux-pam-b1521c97e73b10469f7b34c0571d51c647eca83c.tar.gz