0

I use pam_mount to decrypt (gocryptfs) and mount my home directory:

# /etc/pam.d/system-login excerpt # ... session [success=2 default=ignore] pam_exec.so quiet /usr/bin/mountpoint -q "/home/$PAM_USER" session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet session optional pam_mount.so # ... 
<!-- /etc/security/pam_mount.conf.xml excerpt --> <!-- ...defaults... --> <!-- Encrypted home --> <volume user="%(USER)" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other" path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" /> </pam_mount>

This works well for a single tty. The problem is if I open another, though my pam_exec line prevents it trying to re-mount, when I exit that second tty, it still unmounts. (Worse, it doesn't even unmount correctly, leaving 'transport endpoint is not connected', and I have to manually fusermount -uz "$HOME". I tried adding <fuseumount>fusermount -uz %(MNTPT)</fuseumount> to the config, but no change.)

How can I prevent pam_mount from unmounting until the last session exits? (If tty1 that created the mount exited before tty2, I would want it to be kept mounted for tty2 even though it skipped mounting it itself.)

In fact, with <debug enable="1" /> it logs:

May 03 15:19:39 hostname login[6607]: (pam_mount.c:441): pmvarrun says login count is 1 May 03 15:19:39 hostname login[6607]: (pam_mount.c:734): username seems to have other remaining open sessions May 03 15:19:39 hostname login[6607]: (pam_mount.c:743): pam_mount execution complete

but then the next thing is everything complaining that 'transport endpoint is not connected', and sure enough I have no home dir in the first tty.

I've also noticed if I then fusermount -uz $HOME, it actually ends up mounted, as if pam_mount for the first login session (in which I manually unmount it to fix the error, expecting to have to manually mount it again) is automatically re-mounting it?

Improve this question
1

1 Answer 1

Reset to default
0

pam_mount has built-in detection of this and already tries to handle it appropriately. The problem seems to be a bug in the 'already mounted' detection that means it does not work for FUSE filesystems, or those mounted from a server="...".

I have it working with following patch:

diff --git a/src/mount.c b/src/mount.c index 75c0a39..781ccd0 100644 --- a/src/mount.c +++ b/src/mount.c @@ -127,10 +127,19 @@ static bool pmt_utabent_matches(const struct vol *vpt, struct libmnt_fs *fs) bool result = false; xcmp = fstype2_icase(vpt->type) ? strcasecmp : strcmp; - if (source != NULL) - result = xcmp(vpt->combopath, source) == 0; + if (source != NULL) { + if (strcmp(vpt->fstype, "fuse") != 0) + result = xcmp(vpt->combopath, source) == 0; + else { + size_t len_combopath = strlen(vpt->combopath); + size_t len_source = strlen(source); + result = xcmp(vpt->combopath + len_combopath - len_source, source) == 0; + } + } + if (target != NULL) result &= strcmp(vpt->mountpoint, target) == 0; + return result; }

applied and then:

$ ./autogen.sh $ ./configure $ make $ cp src/.libs/pam_mount.so /usr/lib/security/pam_mount_patched.so

and then with pam_mount_patched.so instead of pam_mount.so where applicable in my PAM configuration, for the time being. (Not overwriting the original just for ease of testing/reverting, and checking upstream's when a new version's available.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.