No description, website, or topics provided.
C Makefile
Latest commit f9244a0 Apr 15, 2016 @gpjt Added link to blog post.
Failed to load latest commit information.
src Use a rather ugly half-second poll waiting for the child process to die. Apr 15, 2016
LICENSE.txt Added a license and a README. Apr 15, 2016
Makefile Adjusted build options to match… Apr 15, 2016 Added link to blog post. Apr 15, 2016


A PAM module that switches into a PID namespace, with /proc correctly mounted.

Just a sketch at the moment -- it seems to work fine, but logs too much and probably contains errors.

Suggestions/pull requests welcome!

How to use it

Compile, and copy to /lib/security/.

In one of the pam config files -- say, /etc/pam.d/su, add a line saying this:

session required

This will mean that anyone who uses su will wind up in a separate process namespace. ps and everything in /proc will reflect that -- the rest of the processes on the system will be invisible. You can affect other tools (say, sshd) by changing their respective pam.d config files.

NB. this is not something you'd want to leave in there for root; a TODO is definitely make this module a do-nothing for root, and perhaps to allow you to specify a list of users who are likewise unaffected...

How it works

See this blog post.


Inspiration drawn from Jameson Little's simple-pam and from Ed Schmollinger's pam-chroot.


MIT-licensed, see LICENSE.txt.