pam_chroot — PAM module that allows a user to be chrooted in session

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

DESCRIPTION

When the calling application attempts to open a session, pam_chroot opens /etc/
security/chroot.conf and searches for a line of the form: user directory, where
the "user" listed is actually a regular expression. If the PAM_USER for whom
the session is being opened matches the regular expression, the module will
attempt to chroot() to the given directory.

The calling application must be executing with root privileges in order to be
able to chroot() at all. If the application needs to exec() other programs
(such as a server process or spawning a shell), you will need to duplicate some
portions of an actual root environment under the chroot()ed directory in order
for it to work at all. (This includes configuration and logging files.) If
configured incorrectly, this module may potentially render the service unusable
and, under some circumstances, pose a security risk.

In particular, the new root directory and all of its parent directories must
not be writable by anyone but root.

OPTIONS

debug

    Log debug messages to syslog.

onerr=

    Values can be "succeed" or "fail". The action to take if the configuration
    file can not be opened, the chroot() fails, or the user does not match any
    of the expressions listed in the configuration file. Default is "succeed".

AUTHOR

The original pam_chroot was written by Matthew Kirkwood and it was obtained
from ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/.

nalin ported this module for Red Hat.

