[Bug 1038454] New: encrypted home directory is not unmounted when user logs out
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454 Bug ID: 1038454 Summary: encrypted home directory is not unmounted when user logs out Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: cfd_s12@web.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On a multi-user system I created several user accounts with encrypted home directories by using the "User and Group Management" module in YaST. When user A (with encrypted home) logs out and user B with root access logs in, it is possible for user B to access the files in the home directory of user A. This is not supposed to happen. I also tried encrypting the home directories using eCryptfs and the problem persists. Therefore I assume it's not a YaST related bug. Steps to reproduce: 1) create a new user using YaST, encrypt the home directory 2) login as new user, create a text file 3) logout and login as root 4) try to access home directory of new user (which should be encrypted but is not) I've also attached a video. Expected behaviour: Root can't access files in other users encrypted home directory. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454#c1
--- Comment #1 from P. Otato
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454#c7
Josef Möllers
Thanks to Thomas Rother and David Kerkhof. The problem is fixed when using the following configuration is used:
duda@linux:~> cat /etc/pam.d/sddm #%PAM-1.0 auth optional pam_mount.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_cryptpass.so session optional pam_mount.so
This should be used in Leap 42.3! Got the solution from Bug 954419
The question remains as to whether this should be added to sddm only or should be put into common-auth and common-session! As it stands, this will only solve the issue when logging in through sddm, but not if eg the user logs in through ssh. My suggestion in Bug 954419 was to put the line auth optional pam_mount.so into common-auth and the lines session optional pam_cryptpass.so session optional pam_mount.so so they are available to all aplications, not just sddm. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454#c8
--- Comment #8 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454
http://bugzilla.opensuse.org/show_bug.cgi?id=1038454#c10
--- Comment #10 from Josef Möllers
(In reply to Josef Möllers from comment #9)
The question remains as to whether this should be added to sddm only or should be put into common-auth and common-session! As it stands, this will only solve the issue when logging in through sddm, but not if eg the user logs in through ssh.
My suggestion in Bug 954419 was to put the line auth optional pam_mount.so into common-auth and the lines session optional pam_cryptpass.so session optional pam_mount.so so they are available to all aplications, not just sddm.
(In reply to Josef Möllers from comment #8)
The last two lines should be put into common-session!
I tried your suggested solution and I am able to login but the encrypted home directory is not unmounted after logout.
I just set up my Leap42.3 VM to mount an unencrypted data directory into my user's HOME directory and it was mounted when I first logged in and umounted when I last logged out again. I have "<mkmountpoint enable="1" remove="true" /> in /etc/security/pam_mount.conf.xml and my ~/.pam_mount.conf.xml has, effectively, only this one line: <volume options="nodev,nosuid" user="*" mountpoint="/home/josef/MPGs" path="/mnt/Videos" server="firefly" fstype="nfs" /> Can you 1) enable debug in /etc/security/pam_mount.conf.xml: -<debug enable="0" /> +<debug enable="1" /> 2) completely log out of the system 3) Log-in as "root" (or some other user) 4) "su - <testuser>" and immediately log out again Step 4 should give you some (understatement of the month) debug output. Please post the output here. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com