Package: libpam-mount
Version: 2.0-1
Severity: normal
Using the new pam-auth-update method of enabling pam-mount as recommended by
/usr/share/doc/libpam-mount/README.Debian.gz
pam_mount.so gets added to both
/etc/pam.d/common-auth and /etc/pam.d/common-session
This seems reasonable, however both of these are included in /etc/pam.d/su.
Therefore, when su is used to login as a user for which
/etc/security/pam-mount.conf.xml does not specify any action:
$ su guest -l
Password:
gu...@homunculus:~$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
pmvarrun(pmvarrun.c:453): could not unlink /var/run/pam_mount/guest: Permission
denied
$
When su is used to login as a user for which a tmpfs volume should be mounted:
$ su kevmitch -l
Password:
$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
$
Finally, it seems that the mkmountpoint feature also does not work
correctly when using su. When a su is used to login as a user for which a
tmpfs volume should be mounted on a directory that is nonexistent, but that that
user has the appropriate premissions to create:
$ su leila -l
Password:
le...@homunculus:~$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
pmvarrun(pmvarrun.c:453): could not unlink /var/run/pam_mount/leila: Permission
denied
pam_mount(spawn.c:101): error setting uid to 0
pam_mount(mount.c:64): umount messages:
pam_mount(mount.c:68): umount: /home/leila/tmp is not in the fstab (and you are
not root)
pam_mount(mount.c:705): unmount of none failed
$
This of course is not to mention the unavoidable problem that there will be
a password prompt when using su as root:
$ sudo su kevmitch -l
reenter password for pam_mount:
$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
$
It would seem prudent to do either or both of the following:
1) Somehow disable pam-mount from getting included in /etc/pam.d/su by default
2) Make pam-mount more su-aware if possible
Kevin
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (400, 'stable'), (300,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33.2003 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) (ignored: LC_ALL set to
en_GB)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-mount depends on:
ii libc6 2.10.2-7 Embedded GNU C Library: Shared lib
ii libcryptsetup1 2:1.1.0-2.1 libcryptsetup shared library
ii libhx22 3.4-1 A library providing queue, tree, I
ii libpam-runtime 1.1.1-3 Runtime support for the PAM librar
ii libpam0g 1.1.1-3 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8n-1 SSL shared libraries
ii libxml2 2.7.7.dfsg-2 GNOME XML library
ii mount 2.16.2-0 Tools for mounting and manipulatin
libpam-mount recommends no packages.
Versions of packages libpam-mount suggests:
pn davfs2 <none> (no description available)
ii fuse-utils 2.8.1-1.2 Filesystem in USErspace (utilities
ii lsof 4.81.dfsg.1-1 List open files
pn ncpfs <none> (no description available)
ii openssl 0.9.8n-1 Secure Socket Layer (SSL) binary a
ii psmisc 22.11-1 utilities that use the proc file s
ii smbfs 2:4.1-1 Common Internet File System utilit
ii sshfs 2.2-1 filesystem client based on SSH Fil
pn tc-utils <none> (no description available)
ii xfsprogs 3.1.1 Utilities for managing the XFS fil
-- Configuration Files:
/etc/security/pam_mount.conf.xml changed:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="0" />
<volume sgrp="tmpfs" fstype="tmpfs" path="none" mountpoint="~/tmp"
options="size=2G,uid=%(USER),mode=0700" fskeyhash="md5"/>
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
