Package: libpam-mount
Version: 2.14~git+d1d6f871-1
Severity: important
Tags: security
I have individually LUKS encrypted home dirs on my system which are
mounted at login via pammount, which however do not get sucessfully
unmounted on logout, leaving them readable for anybody else who logs in
afterwards and has sufficient permissions (which at least partially
defeats the purpose of having pam mounted encrypted home dirs.)
Often, when partions don't get pam unmounted on logout it is because
of processes (especially pulse audio) which aren't terminating,
leaving open file handles, which prevent the partion from being
unmounted. However, changing the "logout"-line in
/etc/security/pam_mount.conf.xml from:
<logout wait="0" hup="0" term="0" kill="0" />
to:
<logout wait="2000" hup="0" term="1" kill="1"/>
ensures that all processes are terminated, so this isn't the cause.
Turning on pam mount debugging in pam_mount.conf.xml (<debug
enable="2"/>) produces the following output when exiting:
josh@howlingfantods:~$ exit
exit
(pam_mount.c:692): received order to close things
(misc.c:39): Session close: (ruid/rgid=1000/1000, e=1000/1000)
command: 'pmvarrun' '-u' 'josh' '-o' '-1'
(misc.c:39): set_myuid<pre>: (ruid/rgid=1000/1000, e=1000/1000)
(spawn.c:129): error setting uid to 0
(pam_mount.c:441): pmvarrun says login count is 0
command: 'pmt-ofl' '-k15' '/home/josh'
command: 'pmt-ofl' '-k9' '/home/josh'
(mount.c:873): going to unmount
(mount.c:267): Mount info: globalconf, user=josh <volume fstype="crypt"
server="(null)"
path="/dev/disk/by-uuid/967e7b41-b9cc-48f0-94e8-c2c3eb2a4dd0"
mountpoint="/home/josh" cipher="(null)" fskeypath="(null)"
fskeycipher="(null)" fskeyhash="(null)" options="" /> fstab=0 ssh=0
command: 'pmt-ofl' '-k0' '/home/josh'
command: 'umount.crypt' '/home/josh'
(misc.c:39): set_myuid<pre>: (ruid/rgid=1000/1000, e=1000/1000)
(spawn.c:129): error setting uid to 0
(mount.c:72): umount messages:
(mount.c:76): umount: it seems /home/josh is mounted multiple times
(mount.c:76): umount /home/josh failed with run_sync status 3
(mount.c:876): unmount of
/dev/disk/by-uuid/967e7b41-b9cc-48f0-94e8-c2c3eb2a4dd0 failed
(pam_mount.c:729): pam_mount execution complete
(pam_mount.c:133): clean system authtok=0x8bd9748 (0)
(pam_mount.c:116): Clean global config (0)
I have contacted upstream (Jan Engelhardt, the maintainer of
libpam-mount), and he says that the problem is the "error setting uid
to 0", which he says is usually a /distribution/ problem (hence the
bug-report to debian), due to the authentication dropping it's
privileges too early:
On 04/01/2012 05:13 PM, Jan Engelhardt wrote:
> I suppose that because uid!=0, umount tries to do something overly
> smart rather than just go and umount the topmost dir as it always
> did.
>
> The program doing the authentication must not drop its privileges.
> In your case it does, which usually hints at a distribution bug.
> This is your root problem, and described in docs/bugs.txt.
>
After logging out, the only way to get the decrypted partion unmounted
is for root to do this by hand. I see this as a security risk because
users encrypting their home partions rely on their data not being
readable after they've logged out.
Although confusing to me, upstream indicated that the fact that the
home dir is mounted multiple times (see double mount below), is a
/Feature-Not-A-Bug/ (c) and apparently not part of the
problem. However, libpam-mount deletes the entry in /run/cmtab, even
though the decrypted mapped device is still mounted, which causes
umount.crypt to fail if called by hand to unmount the volume after
logout. To unmount by hand, you have to unmount the fs and then unmap
the device with cryptsetup luksClose device. This seems like an
upstream bug in libpam-mount to me.
-j
**************************double mount********************************
I'm adding this section (and added it to the subject) to document this
behaviour and the fact that upstream claims it's a
/Feature-Not-A-Bug/(c),because I long believed this to be a bug and part
of the problem, and in case anybody else searches for it.
On 04/01/2012 05:13 PM, Jan Engelhardt wrote:
> I suppose that because uid!=0, umount tries to do something overly
> smart rather than just go and umount the topmost dir as it always
> did.
>
> The program doing the authentication must not drop its privileges.
> In your case it does, which usually hints at a distribution bug.
> This is your root problem, and described in docs/bugs.txt.
>
pam-mount mounts the encrypted volumes twice, once as a decrypted dev
mapped device and then as an fs (this seems strange to me, and I don't
see the necessity, but upstream indicated that this is the correct
behaviour.), and after mounting there are two entries in mtab:
josh@howlingfantods:~$ df
Filesystem 1K-blocks Used Available Use% Mounted on
[irrelevant lines removed]
/dev/mapper/_dev_sda1 57690744 20807472 36297152 37% /home/josh
/dev/sda1 57690744 20807472 36297152 37% /home/josh
josh@howlingfantods:~$ cat /etc/mtab
[irrelevant lines removed]
/dev/mapper/_dev_sda1 /home/josh ext4 rw 0 0
/dev/sda1 /home/josh crypt rw 0 0
josh@howlingfantods:~$ cat /run/cmtab
/home/josh /dev/sda1 - /dev/mapper/_dev_sda1
After logout, only the fs gets unmounted, but the decrypted mapped
device remains mounted. df reports after logout:
/dev/mapper/_dev_sda1 57690744 20835284 36269340 37% /home/josh
The entry in /run/cmtab gets removed, however, so unmount.crypt fails
and you must do a regular unmount on /home/josh and then a cryptsetup
luksClose to de-map the decrypted partion.
-j
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-mount depends on:
ii base-files 6.5
ii libc6 2.13-21
ii libcryptsetup4 2:1.4.1-2
ii libhx28 3.12.1-1
ii libmount1 2.20.1-1.2
ii libpam-runtime 1.1.3-6
ii libpam0g 1.1.3-6
ii libssl1.0.0 1.0.0g-1
ii libxml2 2.7.8.dfsg-5
ii mount 2.20.1-1.2
libpam-mount recommends no packages.
Versions of packages libpam-mount suggests:
pn cifs-utils <none>
pn davfs2 <none>
pn fuse-utils 2.8.6-2
pn lsof 4.81.dfsg.1-1
pn ncpfs <none>
pn openssl 1.0.0g-1
pn psmisc 22.15-2
pn sshfs <none>
pn tc-utils <none>
pn xfsprogs <none>
-- Configuration Files:
/etc/security/pam_mount.conf.xml changed:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<!-- <debug enable="0" /> -->
<debug enable="2" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- <logout wait="0" hup="0" term="0" kill="0" /> -->
<!-- kill processes which prevent unmounting of home dirs on logout -->
<logout wait="2000" hup="0" term="1" kill="1"/>
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
<volume user="josh" mountpoint="/home/josh"
path="/dev/disk/by-uuid/967e7b41-b9cc-48f0-94e8-c2c3eb2a4dd0"
fstype="crypt" />
<volume user="heike" mountpoint="/home/heike"
path="/dev/disk/by-uuid/841e75d4-0856-412e-b77e-271342243395"
fstype="crypt" />
</pam_mount>
-- debconf-show failed
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
