[Bug 461333] New: pam_mount: crypted home directories are not unmounted on logout
https://bugzilla.novell.com/show_bug.cgi?id=461333
Summary: pam_mount: crypted home directories are not unmounted on
logout
Product: openSUSE 11.1
Version: Final
Platform: 64bit
OS/Version: openSUSE 11.1
Status: NEW
Severity: Critical
Priority: P5 - None
Component: Basesystem
AssignedTo: bnc-team-screening@forge.provo.novell.com
ReportedBy: e.kunig@home.nl
QAContact: qa@suse.de
Found By: Customer
I have setup a crypted home directory for myself. It is not unmounted on
logout. Therefore I get more and more active mounts and loop devices with each
login. After 7 times login is not possible, as no more loop devices have been
left. Even worse, my home directory is not protected after logout, as it is
still mounted.
I have added some logging to /sbin/umount.crypt. I have found, that pulseaudio
is not terminating quick enough. Therefore my home directory is busy, when
pam_umount tries to unmount it. Here are the logged messages:
Dec 21 18:13:04 zappa logger: umount.crypt: /home/egbert
Dec 21 18:13:05 zappa umount.crypto: COMMAND PID USER FD TYPE DEVICE
S
IZE/OFF NODE NAME
Dec 21 18:13:05 zappa umount.crypto: pulseaudi 10493 egbert 21uW REG 253,24
13159 262161
/home/egbert/.pulse/982b04cfa1ba0ba3dccea400478cfd28:stream-volum
es.x86_64-suse-linux-gnu.gdbm
Dec 21 18:13:05 zappa umount.crypto: pulseaudi 10493 egbert 22uW REG 253,24
13189 262191
/home/egbert/.pulse/982b04cfa1ba0ba3dccea400478cfd28:device-volum
es.x86_64-suse-linux-gnu.gdbm
Dec 21 18:13:05 zappa umount.crypto: umount: /home/egbert: device is busy.
Dec 21 18:13:05 zappa umount.crypto: (In some cases useful info about
pr
ocesses that use
Dec 21 18:13:05 zappa umount.crypto: the device is found by lsof(8) or
fuser(1))
Dec 21 18:13:05 zappa umount.crypto: umount.crypt: error unmounting
/home/egbert
Dec 21 18:14:23 zappa root: umount.crypt: /home/egbert
Dec 21 18:14:24 zappa umount.crypto: ioctl: LOOP_CLR_FD: No such device or
addre
ss
Dec 21 18:14:24 zappa umount.crypto: umount.crypt: error removing /dev/loop2
As a workaround I have deactivated pulseaudio be removing the executable
permission:
chmod a-x /usr/bin/pulseaudio
This bug is critical, as data are not protected, while user might trust on
this.
There is a comment in /sbin/umount.crypt, line 57-60:
#
#
https://bugzilla.novell.com/show_bug.cgi?id=461333
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=461333
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c1
--- Comment #1 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=461333
Matthias Koenig
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c2
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c3
--- Comment #3 from Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c4
--- Comment #4 from Egbert König
Created an attachment (id=264313) --> (https://bugzilla.novell.com/attachment.cgi?id=264313) [details] patch for the logout problem
I have tried to build pam_mount from the source rpm with your patch. It was not possible because dependencies to libHX which I could not solve. First rpmbuild requested libHX-devel for the build, which is not available for openSuSE 111. I have removed that from the spec file but than configure could not run pkgconfig for libHX. I have changed the dependency in configure.ac to libHX13, which is available for openSuSE 11.1, but pkgconfig was still not successfull. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c5
--- Comment #5 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c6
--- Comment #6 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c7
--- Comment #7 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c8
--- Comment #8 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c9
--- Comment #9 from Jan Engelhardt
I have installed pam_mount 1.8 from the openSuSE build service (home:jnelson-suse)
I have absolutely zero idea why users needlessy rebuild packages (hint: suser-jengelh was just below it). Anyway,
Jan 11 23:40:58 zappa login[32727]: pam_mount(mount.c:78): Command failed: No key available with this passphrase.
This is from cryptsetup.
Jan 11 23:40:57 zappa login[32727]: command: [mount.crypt] [-ofsk_cipher=aes-256-cbc] [-ofsk_hash=sha1] [-okeyfile=/home/egbert.key] [/home/egbert.img] [/home/egbert]
You could try calling mount.crypt manually from a root shell whilst adding -v, to see how cryptsetup is called: mount.crypt -v -ofsk_cipher=aes-256-cbc,fsk_hash=sha1 -okeyfile=/home/egbert.key /home/egbert.img /home/egbert -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c10
--- Comment #10 from Michael Calmer
The problem was fixed in pam_mount 1.3 already (and without requiring another 256 bytes of stack storage).
Jan: Sorry, but your fix seems to be wrong. You append /fd in ofl_taskfd(), but this function expect, that it is already "in" /fd. Append /fd in ofl_task() should work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c11
--- Comment #11 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c12
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c13
--- Comment #13 from Egbert König
Fix submitted
Where can I find this fix? It is not in the openSuSE update repository. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c14
--- Comment #14 from Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c15
--- Comment #15 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c16
--- Comment #16 from Egbert König
ftp://ftp5.gwdg.de/pub/linux/misc/suser-jengelh/SUSE-11.1/x86_64/pam_mount-1.9-jen0.x86_64.rpm
Thank you, I have checked it out together with libHX18 and tested it. I still get the error "pam_mount(mount.c:78): Command failed: No key available with this passphrase." -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c17
--- Comment #17 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c18
Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c19
--- Comment #19 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c20
--- Comment #20 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c21
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c22
--- Comment #22 from Egbert König
pam_mount before 1.0 always used md5 for fsk_hash. You need ot use that instead of sha1 then.
mount.crypt -v -ofsk_cipher=aes-256-cbc,fsk_hash=md5,keyfile=/home/egbert.key /home/egbert.img /home/egbert works. Here is the output: command: [readlink] [-fn] [/home/egbert.img] command: [readlink] [-fn] [/home/egbert] Password: mount.crypt(loop.c:124): Setting up loop device for file /home/egbert. img mount.crypt(loop.c:135): Using /dev/loop0 mount.crypt(crypto-dmc.c:137): Using _home_egbert_img as dmdevice name command: [cryptsetup] [luksOpen] [/dev/loop0] [_home_egbert_img] Command successful. key slot 0 unlocked. command: [mount] [-n] [/dev/mapper/_home_egbert_img] [/home/egbert] umount.crypt -v /home/egbert does not work. Here is the output: Command failed. umount.crypt(crypto-dmc.c:160): Could not unload dm-crypt device "/dev/mapper/_home_egbert_img", cryptsetup returned HXproc status 237 I will provide strace output in an attachment. pam_mount still does not work. I will attach debug messages from /var/log/messages and pam_mount.xml. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c23
--- Comment #23 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c24
--- Comment #24 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c25
Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c26
--- Comment #26 from Jan Engelhardt
cryptsetup returned HXproc status 237 16701 execve("/sbin/cryptsetup", ["cryptsetup", "remove", "O\25@"], [/* 74 vars */]) = 0
Something looks fishy yet. Can you try `valgrind umount.crypt /mnt`? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c27
--- Comment #27 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c28
--- Comment #28 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c29
--- Comment #29 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c30
Michael Calmer
The hash option did'nt help. Why is this bug marked "resolved" and closed? I haven't seen a working fix yet, neither "official" through YOU update nor "inofficial" through this ticket.
As I said in Comment #14 it will take some time. Our policy say, mark this bug as fixed as soon as the fix is submitted in our buildsystem. Btw: this bug was about umounting do not work. This does not include issues with the latest upstream version. But it looks like they are now solved too :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c31
--- Comment #31 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c32
--- Comment #32 from Egbert König
Ok I had already eyeballed that one. http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commitdiff;h=c611578ae9c39ef8... Will release packaged update tomorrow.
mount.crypt and umount.crypt now work fine. The automatic mount on login however still does not work. I will create an attachment with debug output from /var/log/messages. There is one interesting sequence: Jan 27 19:27:06 zappa login[12459]: pam_mount(mount.c:181): Mount info: globalconf, user=egbert <volume server="(null)" path="/home/egbert img" mountpoint="/home/egbert" cipher="(null)" fskeypath="/home/egbert.key" fskeycipher="aes-256-cbc" fskeyhash="md5" options="loop" /> f stab=0 Jan 27 19:27:06 zappa login[12459]: pam_mount(mount.c:494): checking for encrypted filesystem key configuration Jan 27 19:27:06 zappa login[12459]: pam_mount(mount.c:497): about to start building mount command Jan 27 19:27:06 zappa login[12459]: command: [mount.crypt] [-o] [loop] [/home/egbert.img] [/home/egbert] The options (including the key hash) are read correctly from the configuration file but they are not passed to mount.crypt. The mount.crypt command line is just mount.crypt -o loop /home/egbert.img /home/egbert while it should contain the fsk_... options as well. Without these options the key cannot be found in the key file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c33
--- Comment #33 from Egbert König
https://bugzilla.novell.com/show_bug.cgi?id=461333
User jengelh@medozas.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c34
--- Comment #34 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=461333
User e.kunig@home.nl added comment
https://bugzilla.novell.com/show_bug.cgi?id=461333#c35
--- Comment #35 from Egbert König
Make sure /etc/security/pam_mount.conf.xml does not override the mountcrypt command. Ideally, /etc/security/pam_mount.conf.xml should only contain what is in http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=blob;f=config/pam_mount.conf.... plus your volume definitions or specific overrides. I am afraid many people carry the cruft from previous versions in their config files, but what's more, we cannot easily remove such definitions from the cfg file (because it might have been put there on purpose by the user) :-/
Thanks, that was it. I have reinstalled your pam_mount 1.17 rpm, and this time I have not reused my old pam_mount.conf.xml but instead I have just moved the volume line from there to the new template. I still had to enter <logout wait="2000" hup="0" term="1" kill="1" /> as pulseaudio does not terminate at session end, but this is not a pam_mount issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com