headers
josh | 25 Mar 2012 17:10
Picon

pammount not unmounting encrypted home on logout

Hi,

I have individually LUKS encrypted home dirs on my system which are
mounted at login via pammount. I have one, maybe two problems that I am
unable to track down, and which may be related.

First of all, the encrypted dirs seem to be getting mounted twice when
the user logs in. Here are the relevant lines in df output after login:

/dev/mapper/_dev_sdb1 57690744 20835188 36269436 37% /home/josh
/dev/sdb1 57690744 20835188 36269436 37% /home/josh

Secondly, and most importantly, the encrypted home partitions are not
being completely unmounted on logout. After logout, only one of the
above has been unmounted, df reports:

/dev/mapper/_dev_sdb1 57690744 20835284 36269340 37% /home/josh

This also happens even if lsof doesn't report any open files for the
user (a common cause of having the partion not unmounted, if memory
serves...)

The relevant line in /etc/security/pam_mount.conf.xml is:

<volume user="josh" mountpoint="/home/josh"
path="/dev/disk/by-uuid/967e7b41-b9cc-48f0-94e8-c2c3eb2a4dd0"
fstype="crypt" />

and this is the only reference to mounting this volume, i.e. no other
mounting lines somewhere in fstab or crypttab. I use disk-by-uuid
(Continue reading)

Permalink | Reply |
headers
Stef Bon | 26 Mar 2012 10:41
Picon

Re: pammount not unmounting encrypted home on logout

HI,

well probably some app is still using the mount directory.

I've been working on constructions (and still do) which mount a
"Media" directory when a user logs in, and other constructions, like
the chroot and (re)mounting to turn the system into a GoboLinux like
system.

What I ran into is that still after logging out of KDE there are still
apps using the home directory. I had to make a construction which
kills these first, and then umounts.
Isn't it possible to do a lazy umount with pammount ??

I would never use the mounting directly. Better is a construction
which uses pamexec or pamscript which run scripts at auth, login and
logout. and create a construction  to run scripts in order, where you
have the ability to specify that the login process has to wait for
completion (something like systemd but then for usersessions)

Stef

2012/3/25 josh <jbuhl_nospam <at> gmx.net>:
> Hi,
>
> I have individually LUKS encrypted home dirs on my system which are
> mounted at login via pammount. I have one, maybe two problems that I am
> unable to track down, and which may be related.
>
> First of all, the encrypted dirs seem to be getting mounted twice when
(Continue reading)

Permalink | Reply |
headers
josh | 2 Apr 2012 10:33
Picon

Re: pammount not unmounting encrypted home on logout

I've made some progress on this bug, so I'm forwarding my bug report to
debian to this to document it here, too.

-j

-------- Original Message --------
Subject: libpam-mount: pam mounted home directories not unmounted on
logout (and mounted twice)
Date: Mon, 02 Apr 2012 10:18:48 +0200
From: josh <jbuhl_nospam <at> gmx.net>
To: debian bugs <submit <at> bugs.debian.org>
CC: Debian Security Team <team <at> security.debian.org>

Package: libpam-mount
Version: 2.14~git+d1d6f871-1
Severity: important
Tags: security

I have individually LUKS encrypted home dirs on my system which are
mounted at login via pammount, which however do not get sucessfully
unmounted on logout, leaving them readable for anybody else who logs in
afterwards and has sufficient permissions (which at least partially
defeats the purpose of having pam mounted encrypted home dirs.)

Often, when partions don't get pam unmounted on logout it is because
of processes (especially pulse audio) which aren't terminating,
leaving open file handles, which prevent the partion from being
unmounted. However, changing the "logout"-line in
/etc/security/pam_mount.conf.xml from:
<logout wait="0" hup="0" term="0" kill="0" />
(Continue reading)

Permalink | Reply |

Gmane