pam_namespace: document that the namespace.init script runs as root

author: Matthias Gerstner <matthias.gerstner@suse.de> 2024-01-02 13:47:11 +0100
committer: Dmitry V. Levin <ldv@strace.io> 2024-01-03 10:50:38 +0000
commit: b6eda496fd5f7a9724887b208b5d4338c474bb7b (patch)
tree: 8338a82e631ab5b7d5d4c4e9aede3f26d50c8d07 /modules/pam_namespace/pam_namespace.8.xml
parent: a3dbb75bbed62093b8acb680cab783e522f6c67f (diff)
download: pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.tar.gz
pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.tar.bz2
pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 598037a4..a866d2ef 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -68,7 +68,10 @@
       and mounted on the polyinstantiated directory. The script receives the
       polyinstantiated directory path, the instance directory path, flag
       whether the instance directory was newly created (0 for no, 1 for yes),
-      and the user name as its arguments.
+      and the user name as its arguments. The script is invoked with full root
+      privileges and accessing the instance directory in this context needs to
+      be done with caution, as it is controlled by the unprivileged user for
+      which it has been created.
     </para>
 
     <para condition="with_vendordir">
author	Matthias Gerstner <matthias.gerstner@suse.de>	2024-01-02 13:47:11 +0100
committer	Dmitry V. Levin <ldv@strace.io>	2024-01-03 10:50:38 +0000
commit	b6eda496fd5f7a9724887b208b5d4338c474bb7b (patch)
tree	8338a82e631ab5b7d5d4c4e9aede3f26d50c8d07 /modules/pam_namespace/pam_namespace.8.xml
parent	a3dbb75bbed62093b8acb680cab783e522f6c67f (diff)
download	pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.tar.gz pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.tar.bz2 pam-b6eda496fd5f7a9724887b208b5d4338c474bb7b.zip