Package: libpam-mount
Version: 2.14-1
Severity: important
Dear Maintainer,
On a brand-new debian installation, I modified /etc/security/pam_mount.conf.xml
to automatically mount a luks-encrypted home partition when I logged in.
However, when I tested this out, I found that it worked properly when i logged
into the virtual terminal (CTRL ALT F1), but when I logged into xfce using
lightdm, it would properly mount my home directory, but failed to unmount it
when I logged out. This is a security issue, as it leaves encrypted drives
vulnerable.
The /var/log/auth log indicates that it still thinks I have an open session
when I log out. Here is the relevant section
Feb 21 01:48:47 jeremy-laptop lightdm: pam_unix(lightdm:session): session
closed for user jeremy
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:706): received order to
close things
Feb 21 01:48:47 jeremy-laptop lightdm: command: 'pmvarrun' '-u' 'jeremy' '-o'
'-1'
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:441): pmvarrun says login
count is 1
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:735): jeremy seems to have
other remaining open sessions
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:743): pam_mount execution
complete
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:116): Clean global config
(0)
Feb 21 01:48:47 jeremy-laptop lightdm: (pam_mount.c:133): clean system
authtok=0x7fda75bba760 (0)
Feb 21 01:48:47 jeremy-laptop polkitd(authority=local): Unregistered
Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session6
(system bus name :1.40, object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.utf8) (disconnected from bus)
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-mount depends on:
ii base-files 7.2
ii libc6 2.17-97
ii libcryptsetup4 2:1.6.1-1
ii libhx28 3.18-1
ii libmount1 2.20.1-5.6
ii libpam-runtime 1.1.8-2
ii libpam0g 1.1.8-2
ii libpcre3 1:8.31-2
ii libssl1.0.0 1.0.1f-1
ii libxml2 2.9.1+dfsg1-3
ii mount 2.20.1-5.6
libpam-mount recommends no packages.
Versions of packages libpam-mount suggests:
pn cifs-utils <none>
pn davfs2 <none>
ii fuse 2.9.2-4
ii lsof 4.86+dfsg-1
pn ncpfs <none>
ii openssl 1.0.1f-1
ii psmisc 22.20-1
pn sshfs <none>
pn tc-utils <none>
pn xfsprogs <none>
-- Configuration Files:
/etc/security/pam_mount.conf.xml changed:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="2" />
<!-- Volume definitions -->
<volume user="jeremy" fstype="auto"
path="/dev/disk/by-uuid/fc77339f-a9b8-4048-a93e-ff9d7f9b7440"
mountpoint="/home" options="fsck,noatime" />
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="2000" hup="0" term="1" kill="1" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
