#42 pam_mount in a multi-user session

pam-mount
open-accepted
pam-mount (40)
5
2010-12-02
2010-11-22
mutetella
No

Hello,

please excuse my bad english...

I tried many things, read man's, googled...

Here's my problem:

When I log in, pam_mount decrypt a LUKS-partition '/dev/sda2' and mount it '/mnt/sippe'. So far so good.
Another user is log in, pam_mount don't decrypt the LUKS-partition '/dev/sda2' and don't mount it to '/mnt/sippe'. That's right, cause the LUKS-partition is already decrypt and mounted.
Now, the second user log out, pam_mount unmount '/mnt/sippe' and decrypt '/dev/sda2' via umount.crypt.
As a result of this, also for me the mounted an decrypted '/dev/sda2' is not available.

What is to do, that pam_mount don't call umount.crypt, while another session is running?

Here's my pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->

<pam_mount>

<debug enable="1" />
<!-- Volume definitions -->
<volume
sgrp="sippe"
fstype="crypt"
path="/dev/sda2
mountpoint="/mnt/sippe"
/>

<!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Thanks a lot for your help!
mutetella

Discussion

  • Jan Engelhardt

    Jan Engelhardt - 2010-12-02
    • status: open --> open-accepted
     
  • Jan Engelhardt

    Jan Engelhardt - 2010-12-02

    Unfortunately, this is how pam_mount currently works — it was assumed that each user's volume is not shared with other users :-/
    Needs improvement.

     
  • mutetella

    mutetella - 2010-12-02

    Ok, good to know! I thought I'm to dumb.

    As an interim solution I made this (inspired by pmvarrun):

    Script to open and mount my LUKS-partition, saved as /etc/security/pam_mount.open.sh:

    #!/bin/bash
    CRYPTDEVICE=$1
    CRYPTNAME=$2
    MAPPER=/dev/mapper/$2
    MOUNTPOINT=$3
    REALUSER=$4
    VARRUN=/var/run/pam_mount/$2
    counter=0
    if [ -d $VARRUN ]; then
    counter="$(ls $VARRUN | wc -l)"
    else
    mkdir -p $VARRUN
    fi
    if [ $counter -eq 0 ] ; then
    echo "Open $CRYPTNAME, mount at $MOUNTPOINT"
    cryptsetup luksOpen $CRYPTDEVICE $CRYPTNAME
    mount -t ext4 $MAPPER $MOUNTPOINT -o sync
    else
    echo "$CRYPTNAME already been mounted at $MOUNTPOINT"
    fi
    touch "$VARRUN/$REALUSER"

    Script to unmount and close, saved as /etc/security/pam_mount.close.sh:

    #!/bin/bash
    MOUNTPOINT=$1
    CRYPTNAME=$2
    REALUSER=$3
    VARRUN=/var/run/pam_mount/$2
    rm "$VARRUN/$REALUSER"
    counter="$(ls $VARRUN | wc -l)"
    if [ $counter -eq 0 ]; then
    echo "Unmount $MOUNTPOINT, close $CRYPTNAME"
    umount $MOUNTPOINT
    cryptsetup luksClose $CRYPTNAME
    exit 0
    else
    echo "No unmount $MOUNTPOINT, no closing $CRYPTNAME cause sessions using it!"
    fi

    Append this to /etc/security/pam_mount.conf.xml:

    <cryptmount>/etc/security/pam_mount.open.sh %(VOLUME) sippe %(MNTPT) %(USER) </cryptmount>
    <cryptumount>/etc/security/pam_mount.close.sh %(MNTPT) sippe %(USER) </cryptumount>

    The literal 'sippe' is the same as given to sgrp, unfortunately I don't find the name of the variable, like 'MNTPT' or 'USER' ...

    Can I become problems with this workaround? It works fine, but I'm not sure, I become trouble with this.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks