pam_namespace

pam_namespace.so [debug] [user=username] [group=groupname] [config=config_file]

debug
    Enables debugging messages to be logged via syslog.

user=username
    Specifies the user for which namespace configuration should be applied.
This overrides the user being authenticated.

group=groupname
    Specifies the group for which namespace configuration should be applied.
This overrides the group of the user being authenticated.

config=config_file
    Specifies an alternate configuration file to use instead of the default `/etc/security/namespace.conf`.

The pam_namespace PAM module allows you to automatically set up mount namespaces and bind mounts upon user login and to remove them upon logout. This provides a way to isolate processes within specific file system views, enhancing security and resource management. It's commonly used in environments where users need restricted or customized access to the file system, such as containerization or chroot-like setups without requiring root privileges.

The module relies on configuration files (typically located in `/etc/security/namespace.conf`) which define the source and target paths for the mount points, along with the user/group ownership and permissions. On login, `pam_namespace` creates the mount namespace (if necessary) and performs the specified bind mounts. On logout, it unmounts these mounts and removes the namespace if no other processes are using it. The module can be used in both the `auth` and `session` stacks within PAM configurations.

Incorrectly configured namespaces can lead to unexpected behavior or security vulnerabilities.
Ensure that all source directories exist and have the correct permissions before mounting to avoid errors or permission issues within the namespace.
Unmounting must be done carefully to prevent data loss or corruption.

The configuration file (`/etc/security/namespace.conf` by default) contains lines specifying the mount points. Each line generally follows the format: `source target user:group mode`.

source: The source directory or file to be mounted.
target: The target directory or file within the namespace.
user:group: The user and group ownership to be set on the target.
mode: The permissions (octal) to be set on the target.

pam_namespace supports various mount flags, specified using the 'options' keyword in namespace.conf. These flags are passed directly to the mount(2) system call and can control the behavior of the bind mount. Commonly used flags include 'ro' (read-only), 'bind' (recursive bind), and 'create' (automatically create the target directory if it doesn't exist).

The `pam_namespace` module was developed to provide a more robust and flexible alternative to chroot environments. It allows for per-user namespace configuration and dynamic modification of the file system view upon login and logout. Its development was driven by the increasing need for process isolation and resource management in multi-user systems and containerization environments. It leverages the Linux namespaces feature, which was introduced in kernel 2.6.24. Over time, it has been refined and improved to handle different use cases and address potential security concerns.

mount(8), umount(8), namespace(7)