Scroll to navigation

PAM_GROUPNET(8) System Manager's Manual PAM_GROUPNET(8)

NAME

pam_groupnet - join/create a specific network namespace at login

SYNOPSIS

pam_groupnet.so

DESCRIPTION

The pam_groupnet PAM module allow each user in groupnet group to join a specific network namespace.

If the specified network namespace exists, pam runs the user shell in that namespace. If such a namespace does does not exist, it is created during the login process.

The system administrator can specify the network namespace to join by creating groups starting with groupnet-. The text written after the dash will be used as the network namespace name to join or create. Users will join the network namespace at login.

If a user is part of multiple groups starting with groupnet-, the first one that matches is used. Group testing order is as returned by getgrouplist(3).

OPTIONS

group=groupname

the module operates on users in the group groupname- instead of groupnet-.

lodown

leave the localhost lo interface in the state DOWN.

rootshared

Leave the root filesystem / as shared so mounts can propagate out to the parent namespace. Warning: this feature can create security vulnerabilities if not properly used.

RETURN VALUES

PAM_IGNORE

User does not belong to any groupnet-* group.

PAM_ABORT

Error in retrieving the user id or in the namespace creation/joining.

PAM_SUCCESS

Success.

EXAMPLES

Add the following line to /etc/pam.d/sshd or /etc/pam.d/login

session required pam_groupnet.so

SEE ALSO

pam.conf(5), pam.d(5), pam(7)

AUTHOR

pam_groupnet was written by Renzo Davoli and Eduard Caizer, University of Bologna

August 17, 2016 VirtualSquare Labs