Normally when a Linux process forks, the child process shares the same namespace of mounted filesystems as its parent. The unshare() syscall allows a process to gain a copy of that namespace. After the call to unshare() the copy is no longer shared with the parent process. In effect, the mount and unmount operations carried on by a process which has called unshare() are private to that process and all its children (as long as they don't themselves call unshare()).
The module pam_namespace also calls unshare() to create a private namespace but it does so only when it also has to map one or more instances of polyinstanciated directories. The module pam_unshare always calls unshare().
The upshot of using pam_unshare is that it allows the segregation of mount and unmount operations across sessions, even multiple sessions launched by the same user. If Joe logs in twice and pam has been configured to use pam_unshare for the two sessions then the mounts performed by Joe in the first session are not going to be visible in the second session and vice-versa.
I'm attaching a patch against the CVS repository as it was around 2008/09/19. The "cvs diff" command was not producing anything intelligent so I used "diff" directly. The command:
$ chmod +x modules/pam_unshare/tst-pam_unshare
should also be issued, otherwise make check will fail.
patch to add pam_unshare to PAM