[Bug 463524] New: pam_mount (0.47-12.11) does not mount from luserconf
https://bugzilla.novell.com/show_bug.cgi?id=463524 Summary: pam_mount (0.47-12.11) does not mount from luserconf Product: openSUSE 11.1 Version: Final Platform: i586 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: werner.flamme@ufz.de QAContact: qa@suse.de Found By: --- Hi all, pam_mount [pam_mount-0.47-12.11] is giving me grey hairs again :-( First, there is an additional pam_mount password prompt, though pam_mount uses the try_first_pass or use_first_pass option every time it is found in /etc/pam.d/*. Second, it does not mount from the luserconf file. In /etc/security/pam_mount.conf.xml, I have four entries like: <volume user="*" fstype="cifs" server="conserv1.leipzig.ufz.de" path="ufzall" mountpoint="~/Documents/NetMounts/ufzall" options="dir_mode=0755,file_mode=0644,mapchars,domain=INTERN" /> They are alle mounted. In ~/.pam.mount.conf.xml, there is an entry <volume user="licht" fstype="cifs" server="webdev.leipzig.ufz.de" path="coder" mountpoint="~/Documents/NetMounts/coder" options="dir_mode=0750,file_mode=0640,mapchars,domain=INTERN" /> This is not mounted. In /var/log/messages, I find: login[11642]: pam_mount(rdconf1.c:673) path to luserconf set to /home/licht/.pam_mount.conf.xml login[11642]: pam_mount(pam_mount.c:259) pam_mount 0.47: entering auth stage login[11642]: pam_mount(pam_mount.c:191) enter read_password login[11642]: pam_mount(pam_mount.c:294) saving authtok for session code (authtok=0x8061bb8) login[11642]: pam_mount(rdconf1.c:673) path to luserconf set to /home/licht/.pam_mount.conf.xml login[11642]: pam_mount(pam_mount.c:437) pam_mount 0.47: entering session stage login[11642]: pam_mount(pam_mount.c:458) back from global readconfig login[11642]: pam_mount(pam_mount.c:462) going to readconfig user login[11642]: pam_mount(pam_mount.c:467) back from user readconfig login[11642]: pam_mount(misc.c:45) Session open: (uid=0, euid=0, gid=0, egid=0) login[11642]: pam_mount(rdconf2.c:190) checking sanity of volume record (coder) login[11642]: pam_mount(rdconf2.c:131) checking sanity of luserconf volume record (coder) login[11642]: pam_mount(rdconf2.c:71) option "nodev" required login[11642]: Luser volume for /home/licht/Documents/NetMounts/coder is missing options that are required by global <mntoptions> login[11642]: pam_mount(rdconf2.c:44) option "dir_mode" not allowed login[11642]: Luser volume for /home/licht/Documents/NetMounts/coder has options that are not allowed per global <mntoptions> Since in /etc/security/pam_mount.conf.xml I read <mntoptions deny="suid,dev" /> as only valid mntoptions entry, this is a "false fault" in my eyes. In 11.0 [pam_mount-0.35-15.6], the same entry works (for user "wflamme" at least). Can I do anything to have the entries in luserconf honored again? Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |mc@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User mc@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c1 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #1 from Michael Calmer <mc@novell.com> 2009-01-10 08:43:25 MST --- If I remember correctly, we had a security fix for pam_mount (11.0) because of these ignored options. Thank you for testing, that this is working. You can simply define what options are allowed and what options should be denied and what options are required. But you must do this in /etc/security/pam_mount.conf.xml Normal user can only use, what the admin allow to use. ########### from /etc/security/pam_mount.conf.xml ############# <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"/> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev"/> ################################################################ closing as "invalid" because this is a missconfiguration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c2 --- Comment #2 from Werner Flamme <werner.flamme@ufz.de> 2009-01-12 01:42:50 MST --- Michael, I am sure to have no misconfiguration. When I move the entry from ~/.pam_mount.conf.xml to /etc/security/pam_mount.conf.xml, the mount succeeds. Without changing any option, just changing user="licht" to user="*". BTW, I changed <mntoptions require="nosuid,nodev"/> to <mntoptions deny="suid,dev" /> in order to avoid exactly those errors I get now. The original line is commented out. The changed line is simply ignored. I know that you fixed a pam_mount error for 11.0, but this error happens in 11.1. Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User mc@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c3 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |jengelh@medozas.de Resolution|INVALID | --- Comment #3 from Michael Calmer <mc@novell.com> 2009-01-12 05:26:06 MST --- mounting cifs via luserconf works for me. You must add your special options to <mntoptions allow="..." /> But you are right, that the required and deny options are ignored. So I reopen this. Jan: or is there a reason, why in src/rdconf2.c: luserconf_volume_record_sane() the checks for required_ok() and deny_ok() only print a log messages and do not "return false" like allow_ok() does? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User jengelh@medozas.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c4 --- Comment #4 from Jan Engelhardt <jengelh@medozas.de> 2009-01-12 06:31:29 MST --- Yes, returns were missing. http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commitdiff;h=384e86e33a14ce8d... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User mc@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c5 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #5 from Michael Calmer <mc@novell.com> 2009-01-12 07:31:55 MST --- Fix submitted -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c6 --- Comment #6 from Werner Flamme <werner.flamme@ufz.de> 2009-02-06 08:41:57 MST --- OK, the fix is submitted. Any chance to see the fixed version in a repository for oS 11.1? If so, which one do I have to add? Linux-PAM is already in my list, update too ;-), and I do not find it in home:j-engel or home:mcalmer. @Michael: I do not use the "allow" part of the mntoptions tag, I use the "deny" part since it is simpler to manage ;-) And if I had to change mntoptions: why does this very mount work when in the global config instead of being in the luserconf file? Ah, I heard PAM was developed by Sun, this might explain it 8-) Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User jengelh@medozas.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c7 --- Comment #7 from Jan Engelhardt <jengelh@medozas.de> 2009-02-06 09:04:30 MST --- For the umpteenth time, I do not have any repo in OBS, so whatever home:j-engel is, it is NOT mine. But try http://tinyurl.com/jengftp/SUSE-11.1
why does this very mount work when in the global config instead of being in the luserconf file?
The allow/deny/require restrictions are only for luserconf files. Only root can edit the global volume list, so when s/he does, we assume root knows what root is doing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User mc@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c8 --- Comment #8 from Michael Calmer <mc@novell.com> 2009-02-06 09:26:38 MST --- I searched a little bit around and found this repository: http://download.opensuse.org/update/11.1-test/ The pam_mount update is there available. But be carefull with using this repo. It holds untested patches. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c9 --- Comment #9 from Werner Flamme <werner.flamme@ufz.de> 2009-02-09 01:24:12 MST --- @Jan: I am very sorry, I did not know that home:j-engel did not belong to you. Thany you very much for making this very clear to me. I did not know that suser-jengelh is still the place where you put your work :-( (I disabled this repo in 10.3 (I think), because the packages provided there did not match very good in the other software from the release, it needed more aup-to-date-libs and so on... So, when the mntoptions tag is for luserconf only, and it is set to deny="suid,dev", it may not interfere with the cifs mounts I have inside the luserconf file, since there is no option like suid or dev. @Michael: thank you, I did a "rpm -Uvh http://download.opensuse.org/update/11.1-test/rpm/x86_64/pam_mount-0.47-12.1..." and will see tomorrow if it works... Regrads, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c10 --- Comment #10 from Werner Flamme <werner.flamme@ufz.de> 2009-02-10 01:37:57 MST --- Created an attachment (id=271437) --> (https://bugzilla.novell.com/attachment.cgi?id=271437) Three files (2 config, 1 log) for my problem Hi everyone. The version from update/11.1-test does not solve my problem. Again I see the ominous 'pam_mount(rdconf2.c:71) option "nodev" required' in the logs. I don't think the bug is fixed... :-( I attach a zipped tar file (-cvzf), containing: - the global config file pam_mount.conf.xml - the luserconf file ~/.pam_mount.conf.xml - a part of /var/log/messages after my login (grep login /var/log/messages | grep 'Feb 10') As far as I can see - and as far as kxml shows me - the valid option of mntoptions is deny="suid,dev". Where does the error showing up in the logs result from? Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User mc@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c11 --- Comment #11 from Michael Calmer <mc@novell.com> 2009-02-10 02:09:45 MST --- I think this is wanted by the author. options_require array is initialized with "nosuid,nodev" in the code. If you do not specify "require" on your own, the default is used. So please try to specify "require". It must have minimal one value to overwrite the default. Or simply add nodev and nosuid to .pam_mount.conf.xml . I think the original bug is fixed and it works now like it should work. Jan: <!-- The options listed in this directive are required for all volumes from a user config file. That is, any volume specified in a user config file that does not include these options will be ignored. Note: you must make sure that a required option is permitted (either by including it in options_allow, or by not including it in options_deny). I recommend requiring at least nosuid and nodev. This is ignored completely if the volume is configured to get its options and mount point from /etc/fstab. <mntoptions require="nosuid,nodev" /> --> Maybe you can say more explicite, that this is the default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User jengelh@medozas.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c12 --- Comment #12 from Jan Engelhardt <jengelh@medozas.de> 2009-02-10 02:39:09 MST --- Since oodles of time, the config already reads: <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_o <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c13 --- Comment #13 from Werner Flamme <werner.flamme@ufz.de> 2009-02-10 03:03:10 MST --- @Jan: How short "oodles of time" may be... ;-) Your citation says "Note that commenting out mntoptions will give you the defaults. ": I did not comment it out, I have a non-commented '<mntoptions deny="suid,dev" />' entry in the file. The bazillion samples are commented out, of course. "You will need to explicitly initialize it with the empty string to reset the defaults to nothing": Again, I do not think to have a problem here. Do I have to "reset the defaults to nothing" though having a valid configuration entry? Does <mntoption /> require multiple settings? Isn't it enough to give '<mntoptions deny="suid,dev" />', must I have an additional '<mntoptions allow="*" />' entry? I use pam_mount for years (SUSE 8.2, I think), and even in oS 11.0 this was not the case. I had to have one entry for mntoptions, and that was it. And this is the way I understand "Note: you must make sure that a required option is permitted (either by including it in options_allow, or by not including it in options_deny)" from Michael's citation. In openSUSE 10.3 (just 2 SUSE versions ago), the respective comment was: ---snip--- # These directives determine which options may be specified in a user config # file (luserconf). You must include one of these directives if you have a # luserconf directive. You may not include both directives. # # If you have an options_allow directive, then the options listed in that # directive wil be allowed, and all others rejected. If you have an # options_deny directive, then the options listed will be denied, and all others # permitted. # # You may use the wildcard '*' to match all options. # I recommend not permitting the suid and dev options. # #options_allow nosuid,nodev,loop,encryption,fsck options_deny suid,dev #options_allow * #options_deny * ---pins--- So, here ist was "You must include one of these directives[...] You may not include both directives." Who ever it was that said "I recommend not permitting the suid and dev options", I followed this recommendation... and I still do. Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User jengelh@medozas.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c14 --- Comment #14 from Jan Engelhardt <jengelh@medozas.de> 2009-02-10 05:18:07 MST --- A short oodle here refer to a timespan of almost 17 weeks/4 months: 5e82ecc6 (Jan Engelhardt 2008-10-14 14:02:06 -0400 20) <!-- Note that commenting
Isn't it enough to give '<mntoptions deny="suid,dev" />', must I have an additional '<mntoptions allow="*" />' entry?
Yes, you will need allow="*" to allow really all potential options. (suid,dev are still excluded.) The default, as you can see, is just a list of well-known non-malicious options.
I had to have one entry for mntoptions
mntoptions have always been like this. Well except that it supports both allow and deny these days. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c15 --- Comment #15 from Werner Flamme <werner.flamme@ufz.de> 2009-02-10 05:31:04 MST --- Jan, that's great! Now I have 3 lines in my /etc/security/pam.mount.conf.xml: <mntoptions require="" /> <mntoptions allow="*" /> <mntoptions deny="suid,dev" /> The result is (for one mount, as example): Feb 10 13:27:52 rz36 login[14950]: Luser volume for /home/wflamme/Documents/NetMounts/coder is missing options that are required by global <mntoptions> Gnarf. Where do I unset the "options that are required by global <mntoptions>"? Is it only one <mntoptions /> tag with all three attributes? This is not clear from the comments :-( Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User jengelh@medozas.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c16 --- Comment #16 from Jan Engelhardt <jengelh@medozas.de> 2009-02-10 07:32:53 MST ---
Is it only one <mntoptions /> tag with all three attributes?
The conf reader does not care if you have three <mntoptions> with one attribute, or one <mntoptions> with three attributes (or two-two, whatever other combinations there are). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=463524 User werner.flamme@ufz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=463524#c17 --- Comment #17 from Werner Flamme <werner.flamme@ufz.de> 2009-02-10 10:25:05 MST --- Ah, OK. So the conf reader knows that I do not require anything, I allow everything but suid and dev. Right? But why do I still find "is missing options that are required by global <mntoptions>" in my logs? When it is a config problem, blame on me. But I don't understand it yet :-( OK, finish for today... Regards, Werner -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com