This pam_chroot module provides session support only. It is based almost entirely on Matthew Kirkwood's original version obtained from ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/. Operation: When the calling application attempts to open a session, pam_chroot opens /etc/security/chroot.conf and searches for a line of the form: user directory where the "user" listed is actually a regular expression. If the PAM_USER for whom the session is being opened matches the regular expression, the module will attempt to chroot() to the given directory. Optional arguments: "debug" Log debug messages to syslog. "onerr=" Values can be "succeed" or "fail". The action to take if the configuration file can not be opened, the chroot() fails, or the user does not match any of the expressions listed in the configuration file. Default is "succeed". Other Notes: The calling application must be executing with root privileges in order to be able to chroot() at all. If the application needs to exec() other programs (such as a server process or spawning a shell), you will need to duplicate some portions of an actual root environment under the chroot()ed directory in order for it to work at all. (This includes configuration and logging files.) If configured incorrectly, this module may potentially render the service unusable and, under some circumstances, pose a security risk. In particular, the new root directory and all of its parent directories must not be writable by anyone but root.