pmvarrun - updates /var/run/pam_mount/ user
pmvarrun -u user
A separate program is needed so that /var/run/pam_mount/ user
created with a pam_mount-specific security context (otherwise SELinux policy
will conflict with gdm, which also creates file in /var/run).
pmvarrun is flexible and can run in a number of different security setups:
When pmvarrun is invoked as root, /var/run/pam_mount's permission settings can
be as strict as needed; usually (0755,root,root) is a good pick as it gives
users the debug control over their refcount. Refcount files are given their
respective owners (chowned to the user who logs in).
When invoked as the user who logs in, /var/run/pam_mount needs appropriate
permissions to create a file, which means the write bit must be set. It is
also highly suggested to set the sticky bit in this case, so other users do
not tamper with your refcount.
Some programs or login helpers incorrectly call the PAM stack in a way that the
login phase is done as root and the logout phase as a normal user.
Nevertheless, pmvarrun supports this, and the same permissions as in root-root
can be used. While the user may not be able to unlink his file from
/var/run/pam_mount, it will be truncated to indicate the same state.
- --help, -h
- Display help.
- --user user, -u user
- User to handle, must be a valid username.
- --operation number, -o
- Increase volume count by number.
- Turn on debugging.
This manpage was originally written by Bastian Kleineidam
<firstname.lastname@example.org> for the Debian distribution of libpam-mount but may
be used by others.
See /usr/share/doc/packages/libpam-mount/copyright for the list of original
authors of pam_mount.