diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
index 00ee52d..b787e5f 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
@@ -5,5 +5,18 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## Used by the pam_tmpdir module to create a secure temporary directory for the
+## user that is logging in.
+## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html
+## Apparently specific to Debian, there isn't actually any Git repo with this
+## code in it, it's just a "floating" package in the Debian archive. Written by
+## the same person who maintains the package. Almost certainly cannot be
+## disabled without causing serious problems, but may be worth auditing.
+## (Worthy of note, it doesn't seem this program takes any user input, but
+## relies solely on the calling user's UID and GID, though this could require
+## further review.)
+##
 ## Without this, Xfce fails to start with a dbus-launch error.
+##
+## TODO: audit pam-tmpdir-helper
 pam-tmpdir-helper matchwhitelist