pam_chroot - Man Page

pam_chroot.so [debug] [onerr]

When the calling application attempts to open a session, pam_chroot opens /etc/security/chroot.conf and searches for a line of the form: user directory, where the "user" listed is actually a regular expression. If the PAM_USER for whom the session is being opened matches the regular expression, the module will attempt to chroot() to the given directory.

The calling application must be executing with root privileges in order to be able to chroot() at all. If the application needs to exec() other programs (such as a server process or spawning a shell), you will need to duplicate some portions of an actual root environment under the chroot()ed directory in order for it to work at all. (This includes configuration and logging files.) If configured incorrectly, this module may potentially render the service unusable and, under some circumstances, pose a security risk.

In particular, the new root directory and all of its parent directories must not be writable by anyone but root.

debug

Log debug messages to syslog.

onerr=

Values can be "succeed" or "fail". The action to take if the configuration file can not be opened, the chroot() fails, or the user does not match any of the expressions listed in the configuration file. Default is "succeed".

Only session module type is provided.

PAM_SUCCESS

Everything was successful.

PAM_SESSION_ERR

Session error.

/etc/security/chroot.conf

Chroot configuration file

pam.d(5), pam(8)

The original pam_chroot was written by Matthew Kirkwood and it was obtained from ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/.

nalin ported this module for Red Hat.