Mailinglist Archive: opensuse-bugs (6221 mails)

< Previous Next >
[Bug 1087749] New: pam_mount with LUKS encrypted /home partition unwarily umounts /home at logout
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 02 Apr 2018 10:32:06 +0000
  • Message-id: <bug-1087749-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1087749


Bug ID: 1087749
Summary: pam_mount with LUKS encrypted /home partition unwarily
umounts /home at logout
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.3
Hardware: i686
OS: openSUSE 42.3
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Basesystem
Assignee: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
Reporter: ChG@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

LUKS-encrypted /home partition gets un-mounted at logout of any user, even when
there are still other users logged in, effectively kicking them out.

The /home partition (common to all users) as a whole is encrypted - for
collaboration reasons, we don't use individual /home/<user> containers
separately encrypted.

Details:
The /home partition is a LUKS device on /dev/sda4, with passwords of several
users in the LUKS device's key slots. Concurrent login of several users works,
but logging out any one of them kicks all others out, due to /home being
forcibly umount'ed.

This is unacceptable for a workstation used by several users - even root is
affected when its login shell happens to have 'cd'ed into any of the /home
subbdirectories.

Furthermore, it renders the "Switch User" function of the (KDE) login screen
useless: user A logs in, leaves the desktop and his screen locks up, user B
"switches user" to himself, does its work and logs out again - user A is kicked
off the system, loosing all unsaved work.

How the volume was created and users were added:
# cryptsetup --verify-passphrase --use-random
--header-backup-file=/root/home.LUKS luksFormat /dev/sda4
# cryptsetup --verify-password luksAddKey /dev/sda4

In /etc/security/pam_mount.conf.xml, the following options are set:
<logout wait="2000" hup="no" term="yes" kill="yes" />

Changing this does not help, as pam_mount uses the "ofl" tool from the
"hxtools" package to TERMinate or KILL processes still using /home/user.
According to "man ofl", it can NOT differentiate between processes of different
users, effectively killing ALL processes still having anything open in /home.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >