A PAM module that switches into a PID namespace, with /proc correctly mounted.
Just a sketch at the moment -- it seems to work fine, but logs too much and probably contains errors.
Suggestions/pull requests welcome!
Compile, and copy pam_unshare.so
to /lib/security/
.
In one of the pam config files -- say, /etc/pam.d/su
, add a line saying this:
session required pam_unshare.so
This will mean that anyone who uses su
will wind up in a separate process
namespace. ps
and everything in /proc
will reflect that -- the rest of
the processes on the system will be invisible. You can affect other tools
(say, sshd
) by changing their respective pam.d
config files.
NB. this is not something you'd want to leave in there for root; a TODO is definitely make this module a do-nothing for root, and perhaps to allow you to specify a list of users who are likewise unaffected...
See this blog post.
Inspiration drawn from Jameson Little's simple-pam and from Ed Schmollinger's pam-chroot.
MIT-licensed, see LICENSE.txt
.