pmvarrun - updates /var/run/pam_mount/user
pmvarrun -u user [options]
A separate program is needed so that /var/run/pam_mount/user may be created with a pam_mount-specific security context (otherwise SELinux policy will conflict with gdm, which also creates file in /var/run).
pmvarrun is flexible and can run in a number of different security setups:
When pmvarrun is invoked as root, /var/run/pam_mount's permission settings can be as strict as needed; usually (0755,root,root) is a good pick as it gives users the debug control over their refcount. Refcount files are given their respective owners (chowned to the user who logs in).
When invoked as the user who logs in, /var/run/pam_mount needs appropriate permissions to create a file, which means the write bit must be set. It is also highly suggested to set the sticky bit in this case, so other users do not tamper with your refcount.
Some programs or login helpers incorrectly call the PAM stack in a way that the login phase is done as root and the logout phase as a normal user. Nevertheless, pmvarrun supports this, and the same permissions as in root-root can be used. While the user may not be able to unlink his file from /var/run/pam_mount, it will be truncated to indicate the same state.
This manpage was originally written by Bastian Kleineidam <email@example.com> for the Debian distribution of libpam-mount but may be used by others.
See /usr/share/doc/packages/libpam-mount/copyright for the list of original authors of pam_mount.