The attached patch fixes another bug found in pam_namespace by Anders Blomdell. If there are processes that are running in the private namespace left after the pam_session_close() is called, they will see the original polyinstantiated directories contents as the bind mounts will be unmounted (at least for directories that are not currently in use by the processes). There is actually no need to do the unmounts. It would be useful only in case there are multiple pam_open/close_session calls called in sequence from a single process. I do not even know of any service that would do this, because it is not fully supported by other modules as well (the state of the process might be quite different from the original state before the first pam_open_session call). However I kept the unmounting code and call it only when unmount_on_close option is used. OK to commit? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb