pam_namespace

session required pam_namespace.so [options]
session optional pam_namespace.so unmount [options]

unmount
    Specifies that the module should unmount previously mounted namespaces. This is typically used in the session optional line for cleanup at logout.

mount
    (Default behavior) Specifies that the module should mount namespaces as defined in the configuration file. This is usually implied if unmount is not present.

config=path
    Specifies an alternative configuration file to /etc/security/namespace.conf.

verbose
    Causes the module to print more verbose debugging information to syslog.

debug
    Causes the module to print more detailed debugging information, including internal operations, to syslog.

shared
    Makes the mount points shared with the parent namespace, allowing them to propagate to other namespaces. Use with caution as it can reduce isolation.

ignore_config_error
    If set, errors encountered while parsing the configuration file will not cause the module to fail.

The pam_namespace module is a Pluggable Authentication Module (PAM) designed to manage private namespaces for user sessions. It allows for the creation of isolated temporary directories, such as a user-specific /tmp or /var/tmp, by using tmpfs mounts or bind mounts. This enhances security and privacy by preventing different users from accessing or interfering with each other's temporary files, and ensures that temporary files are cleaned up automatically upon session termination.

Additionally, it can be used to set up isolated home directories or specific application environments for services, providing a controlled and sandboxed environment. The module reads its configuration from /etc/security/namespace.conf (or a specified file), defining which directories should be made private and how. It typically needs to be configured in the session stack of PAM service files, with one entry for mounting at login and another for unmounting at logout.

• Cleanup: Proper unmount configuration in the PAM session stack is crucial. If a session terminates abnormally, or if unmount is not configured correctly, bind mounts might persist, leading to resource leaks or unexpected behavior.
• Root Privileges: pam_namespace performs mount operations, which require root privileges. PAM handles this by running the module with appropriate permissions.
• Interaction with other modules: Be cautious when combining with other PAM modules (e.g., pam_mkhomedir, pam_systemd) that might also affect directory setup or session management.
• Security: While it enhances privacy, misconfiguration (e.g., using shared incorrectly) could inadvertently weaken isolation.

This file defines the rules for namespace creation. Each line specifies a source, destination, type, and options. Common types include bind (for bind mounts) and tmpfs (for in-memory filesystems).

Example entries:
user tmpfs /tmp rw,nosuid,nodev,size=10M - creates a private, in-memory /tmp for each user session.
/home/guest /srv/chroots/guest none bind,ro - could bind-mount a guest home directory read-only from a central location.

• Private /tmp directories: Isolating temporary files created by different users or services for enhanced security and automatic cleanup upon session termination.
• Sandboxed Environments: Creating a more controlled and isolated file system environment for specific applications or less trusted users without the overhead of a full chroot or container.
• Temporary Home Directories: For certain services or guest accounts, a temporary, isolated home directory can be provided that is cleared after the session.

The pam_namespace module is a long-standing component of the PAM ecosystem, designed to leverage Linux kernel namespaces for session isolation. Its development is inherently tied to the evolution of mount namespaces in the kernel, providing a robust and flexible way to manage per-session file system isolation. It is part of the standard pam package, commonly found in most Linux distributions, ensuring widespread availability and integration with system login processes.

mount(8), unshare(1), pam.conf(5), pam(8), namespaces(7), tmpfs(5)