NAME¶

pam_groupnet - join/create a specific network namespace at login

SYNOPSIS¶

pam_groupnet.so

DESCRIPTION¶

The pam_groupnet PAM module allow each user in groupnet group to join a specific network namespace.

If the specified network namespace exists, pam runs the user shell in that namespace. If such a namespace does does not exist, it is created during the login process.

The system administrator can specify the network namespace to join by creating groups starting with groupnet-. The text written after the dash will be used as the network namespace name to join or create. Users will join the network namespace at login.

If a user is part of multiple groups starting with groupnet-, the first one that matches is used. Group testing order is as returned by getgrouplist(3).

OPTIONS¶

group=groupname

the module operates on users in the group groupname- instead of groupnet-.

lodown

leave the localhost lo interface in the state DOWN.

rootshared

Leave the root filesystem / as shared so mounts can propagate out to the parent namespace. Warning: this feature can create security vulnerabilities if not properly used.

RETURN VALUES¶

PAM_IGNORE

User does not belong to any groupnet-* group.

PAM_ABORT

Error in retrieving the user id or in the namespace creation/joining.

PAM_SUCCESS

Success.

EXAMPLES¶

Add the following line to /etc/pam.d/sshd or /etc/pam.d/login

session required pam_groupnet.so

AUTHOR¶

pam_groupnet was written by Renzo Davoli and Eduard Caizer, University of Bologna

August 17, 2016

VirtualSquare Labs

Source file:	pam_groupnet.8.en.gz (from libpam-net 0.4-1)
Source last updated:	2025-03-24T16:39:57Z
Converted to HTML:	2025-08-16T15:32:23Z