pmvarrun - updates /var/run/pam_mount/user
pmvarrun -u user [options]
A separate program is needed so that /var/run/pam_mount/user may be
created with a pam_mount-specific security context (otherwise SELinux
policy will conflict with gdm, which also creates file in /var/run).
pmvarrun is flexible and can run in a number of different security
When pmvarrun is invoked as root, /var/run/pam_mount’s permission
settings can be as strict as needed; usually (0755,root,root) is a good
pick as it gives users the debug control over their refcount. Refcount
files are given their respective owners (chowned to the user who logs
When invoked as the user who logs in, /var/run/pam_mount needs
appropriate permissions to create a file, which means the write bit
must be set. It is also highly suggested to set the sticky bit in this
case, so other users do not tamper with your refcount.
Some programs or login helpers incorrectly call the PAM stack in a way
that the login phase is done as root and the logout phase as a normal
user. Nevertheless, pmvarrun supports this, and the same permissions
as in root-root can be used. While the user may not be able to unlink
his file from /var/run/pam_mount, it will be truncated to indicate the
--user user, -u user
User to handle, must be a valid username.
--operation number, -o number
Increase volume count by number.
-d Turn on debugging.
This manpage was originally written by Bastian Kleineidam
<firstname.lastname@example.org> for the Debian distribution of libpam-mount but may
be used by others.
See /usr/share/doc/packages/libpam-mount/copyright for the list of
original authors of pam_mount.