Control: reassign -1 systemd Control: retitle -1 systemd-user PAM config breaks some libpam-* modules Control: tag -1 + patch
On 2014-12-26 18:51, Christian Kastner wrote: > In my case, this is the result of an interaction between lightdm and > systemd. According to my auth.log, the PAM stack is process twice: > > 1. Through lightdm. This works as intendend; pam_mount mounts all > applicable volumes, the internal login counter is increased, and > pam_mount reports successful completion of the "session" stage. > > 2. Via systemd. Right after lightdm reports completion, logind starts > a new session. Then, interestingly, pam_mount is executed again. > However, this time, it fails to process the volumes as it does > not have access to the user's password (pam_mount handles this > specially). > Nevertheless, pam_mount's internal login count is increased by > 1, to 2. > > At logout, the internal login count is reduced by 1, to 1. pam_mount > therefore believes there is still a session open, so it does not close > the volume. > > The question is why the PAM stack is processed twice. Perhaps there is > some way to inhibit the second invocation, although I am not familiar > enough with systemd/logind to know what to change. Thanks to grawity's help on IRC, who indicated that this second PAM session should be opened in the backround, similar to cron, I noticed that the PAM configuration for systemd-user @includes common-session, whereas cron's configuration @included common-session-noninteractive. Using common-session causes the breakage in libpam-mount quoted above, and I assume in other libpam-* modules as well (see eg #572292 when this was changed in cron). Changing systemd-user's PAM config to use common-session-noninteractive resolves the above issue (and actually another, yet unreported, one in libpam-mount). Please consider including the attached patch against git master if you think it is safe to do so. Regards, Christian
>From d25648a5a7d5586c4c861677fbc4f7bc4f876dd3 Mon Sep 17 00:00:00 2001 From: Christian Kastner <c...@kvr.at> Date: Sun, 28 Dec 2014 18:22:22 +0100 Subject: [PATCH] Use common-session-noninteractive in systemd-user's PAM configuration common-session can include PAM modules, for example libpam-mount, which expect to be called in an interactive manner, and cause all sorts of errors otherwise. --- debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch index 78c5e0c..2273480 100644 --- a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch +++ b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch @@ -19,6 +19,6 @@ index 7b57dbf..f87d560 100644 -account include system-auth -session include system-auth +@include common-account -+@include common-session ++@include common-session-noninteractive auth required pam_deny.so password required pam_deny.so -- 2.1.4
