A PAM module that switches into a PID namespace, with /proc correctly mounted.
Just a sketch at the moment -- it seems to work fine, but logs too much and probably contains errors.
Suggestions/pull requests welcome!
How to use it
Compile, and copy
In one of the pam config files -- say,
/etc/pam.d/su, add a line saying this:
session required pam_unshare.so
This will mean that anyone who uses
su will wind up in a separate process
ps and everything in
/proc will reflect that -- the rest of
the processes on the system will be invisible. You can affect other tools
sshd) by changing their respective
pam.d config files.
NB. this is not something you'd want to leave in there for root; a TODO is definitely make this module a do-nothing for root, and perhaps to allow you to specify a list of users who are likewise unaffected...
How it works
See this blog post.