On Fri, 21 Feb 2014 03:31:06 -0500 Jeremy Salwen
<jeremysal...@gmail.com> wrote:
> On a brand-new debian installation, I modified
> /etc/security/pam_mount.conf.xml
> to automatically mount a luks-encrypted home partition when I logged in.
> However, when I tested this out, I found that it worked properly when i logged
> into the virtual terminal (CTRL ALT F1), but when I logged into xfce using
> lightdm, it would properly mount my home directory, but failed to unmount it
> when I logged out. This is a security issue, as it leaves encrypted drives
> vulnerable.
I'm seeing this, too.
In my case, this is the result of an interaction between lightdm and
systemd. According to my auth.log, the PAM stack is process twice:
1. Through lightdm. This works as intendend; pam_mount mounts all
applicable volumes, the internal login counter is increased, and
pam_mount reports successful completion of the "session" stage.
2. Via systemd. Right after lightdm reports completion, logind starts
a new session. Then, interestingly, pam_mount is executed again.
However, this time, it fails to process the volumes as it does
not have access to the user's password (pam_mount handles this
specially).
Nevertheless, pam_mount's internal login count is increased by
1, to 2.
At logout, the internal login count is reduced by 1, to 1. pam_mount
therefore believes there is still a session open, so it does not close
the volume.
The question is why the PAM stack is processed twice. Perhaps there is
some way to inhibit the second invocation, although I am not familiar
enough with systemd/logind to know what to change.
auth.log snippets attached.
-- <lightdm> --
Dec 22 23:09:35 quuxhost lightdm: (pam_mount.c:365): pam_mount 2.14: entering auth stage
Dec 22 23:09:35 quuxhost lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Dec 22 23:09:35 quuxhost lightdm: pam_unix(lightdm:session): session opened for user foobar by (uid=0)
Dec 22 23:09:35 quuxhost lightdm: (pam_mount.c:568): pam_mount 2.14: entering session stage
[...]
mount stuff as initiated by libpam-mount via lightdm
[...]
Dec 22 23:09:36 quuxhost lightdm: command: 'pmvarrun' '-u' 'foobar' '-o' '1'
Dec 22 23:09:36 quuxhost lightdm: (pam_mount.c:441): pmvarrun says login count is 1
Dec 22 23:09:36 quuxhost lightdm: (pam_mount.c:660): done opening session (ret=0)
-- </lightdm> --
-- <systemd> --
Dec 22 23:09:36 quuxhost systemd-logind[710]: New session 4 of user foobar.
Dec 22 23:09:36 quuxhost systemd: pam_unix(systemd-user:session): session opened for user foobar by (uid=0)
Dec 22 23:09:36 quuxhost systemd: (pam_mount.c:568): pam_mount 2.14: entering session stage
[...]
mount stuff repeated (see lightdm above), fails at various stages for various causes
[...]
Dec 22 23:09:36 quuxhost systemd: (pam_mount.c:173): conv->conv(...): Conversation error
Dec 22 23:09:36 quuxhost systemd: (pam_mount.c:477): warning: could not obtain password interactively either
Dec 22 23:09:41 quuxhost systemd: command: 'pmvarrun' '-u' 'foobar' '-o' '1'
Dec 22 23:09:41 quuxhost systemd: (pam_mount.c:441): pmvarrun says login count is 2
Dec 22 23:09:41 quuxhost systemd: (pam_mount.c:660): done opening session (ret=0)
-- </systemd> --
-- <logout> --
Dec 22 23:10:18 quuxhost lightdm: pam_unix(lightdm:session): session closed for user foobar
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:706): received order to close things
Dec 22 23:10:18 quuxhost lightdm: command: 'pmvarrun' '-u' 'foobar' '-o' '-1'
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:441): pmvarrun says login count is 1
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:735): foobar seems to have other remaining open sessions
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:743): pam_mount execution complete
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:116): Clean global config (0)
Dec 22 23:10:18 quuxhost lightdm: (pam_mount.c:133): clean system authtok=0x123456789123 (0)
-- </logout> --
