From b6eda496fd5f7a9724887b208b5d4338c474bb7b Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Tue, 2 Jan 2024 13:47:11 +0100 Subject: pam_namespace: document that the namespace.init script runs as root --- modules/pam_namespace/namespace.conf.5.xml | 5 ++++- modules/pam_namespace/pam_namespace.8.xml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'modules/pam_namespace') diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index 1141136d..5ecae3de 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -24,7 +24,10 @@ executable script /etc/security/namespace.init exists, it is used to initialize the namespace every time an instance directory is set up and mounted. The script receives the polyinstantiated - directory path and the instance directory path as its arguments. + directory path and the instance directory path as its arguments. The + script is invoked with full root privileges and accessing the instance directory + in this context needs to be done with caution, as it is controlled by the unprivileged + user for which it has been created. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index 598037a4..a866d2ef 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -68,7 +68,10 @@ and mounted on the polyinstantiated directory. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), - and the user name as its arguments. + and the user name as its arguments. The script is invoked with full root + privileges and accessing the instance directory in this context needs to + be done with caution, as it is controlled by the unprivileged user for + which it has been created. -- cgit v1.2.3