sudo does not make admins escape from the sandboxes

[KellerFuchs]

We are using pam_namespace's unmnt_remnt option, which should make pam_namespace perform a namespace switch when changing users.
Yet, sudo-ing to root doesn't make one escape the mount namespaces.

However, SSH-ing as root gives the expected result (no mount namespaces), so it isn't a misconfiguration on that side.

[KellerFuchs]

pam_namespace fails to umount due to the /dev/pts mount:

Feb 23 03:24:14 to1 sudo[29103]: kellerfuchs : TTY=pts/1 ; PWD=/home/kellerfuchs/admin-tools ; USER=root ; COMMAND=/bin/journalctl -f
Feb 23 03:24:14 to1 sudo[29103]: pam_namespace(sudo:session): Unmount of /dev failed, Device or resource busy
Feb 23 03:24:14 to1 sudo[29103]: pam_unix(sudo:session): session opened for user root by (uid=0)

[daurnimator]

What is holding /dev open/in use?

[KellerFuchs]

On Sun, Feb 26, 2017 at 02:47:53PM -0800, daurnimator wrote: What is holding /dev open/in use?

At least the /dev/pts mountpoint, as mentionned earlier.

[daurnimator]

okay, to go down the rabbit hole: why isn't /dev/pts being umounted first?

[KellerFuchs]

IIRC, I looked in the pam_namespace code, and it's an ode to Cthulhu written in nightmare ink.
I have no idea if it that's a bug, or just not supported (but the manpage doesn't say anything about it...).