Hi, a long time ago you opened a bug in the Debian package libpam-mount. Recently I took over maintenance of this package and added a patch to address this. You can find the new version in Debian experimental, would be great if you could try it and report back if it fixes your problem. If no one reports an error in it, I will upload the package to unstable and close this in a month.
Cheers Jochen * Trent W. Buck <trentb...@gmail.com> [2015-09-22 16:08]:
Package: libpam-mount
Version: 2.14-1.1
Severity: minor
1. libpam_mount considers something "already mounted" if it can find a
mount in libmount's iterator where both the source (device) and
target (mountpoint) match.
This is the code responsible:
libpam-mount/src/mount.c:149:pmt_already_mounted()
libpam-mount/src/mount.c:125:pmt_utabent_matches()
THE PROBLEM
====================
2. If pam_mount.conf.xml has
<volume fstype="nfs" server="nfs" path="~" mountpoint="~" options="...">
then "already mounted?" fails because it compares nfs:/home/prisoners/p to
/home/prisoners/p. I think.
command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs'
'nfs:/home/prisoners/p' '/home/prisoners/p'
(mount.c:72): Messages from underlying mount program:
(mount.c:76): mount.nfs: access denied by server while mounting (null)
The odd error from mount.nfs is because nfs:/home is root_squash and user
nobody can't read it:
# mkdir x y
# mount -tnfs nfs:/home x
# mount -tnfs nfs:/home x
mount.nfs: /root/x is busy or already mounted
# mount -tnfs nfs:/home/prisoners/p y
# mount -tnfs nfs:/home/prisoners/p y
mount.nfs: access denied by server while mounting (null)
# ls -ld x y
drwxr-x--x 8 root root 1024 Nov 12 2014 x
drwx------ 13 p p 4096 Sep 22 12:35 y
# ls -ld x/prisoners
drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners
WORKAROUNDS DON'T WORK
==============================
3. If pam_mount.conf.xml has
<volume fstype="nfs" path="nfs:~" mountpoint="~" options="...">
then mounting fails because the nfs:~ is not expanded.
command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~'
'/home/prisoners/p'
(mount.c:72): Messages from underlying mount program:
(mount.c:76): mount.nfs: access denied by server while mounting nfs:~
4. If pam_mount.conf.xml has
<volume fstype="nfs" path="nfs:/home/prisoners/p" mountpoint="~"
options="...">
then mounting & detection both work:
(mount.c:628): nfs:/home/prisoners/p already seems to be mounted at
/home/prisoners/p, skipping
...but now I have to list every user's login individually, which is not
feasible.
5. If pam_mount.conf.xml has
<volume fstype="nfs" path="nfs:/home/prisoners/%(USER)" mountpoint="~"
options="...">
the source is wrong path for staff users.
Constructing $HOME from $USER also fails for setups like
~ajking2 ==> /home/students/a/j/ajking2/
which used to be common in large universities.
I could probably get away with this, but it feels awful:
<volume group="prisoners" fstype="nfs" path="nfs:/home/prisoners/%(USER)" mountpoint="~"
options="...">
<volume group="staff" fstype="nfs" path="nfs:/home/staff/%(USER)" mountpoint="~"
options="...">
IMPACT
====================
This is not an immediate problem for me,
because the duplicate mount fails & the login succeeds.
But! If the *first* mount fails (e.g. when NFS is down),
the user get a working login with $HOME on the local root filesystem.
If I fix that by making PAM abort when the mount fails,
the problem in pmt_utabent_matches() will break the user's second
concurrent login (e.g. GUI desktop + ssh).
I'm too dumb to see exactly how to patch this,
but I hope it's a one-line change. :-)
POSTSCRIPT
====================
I pulled out pmt_already_mounted() into the following stand-alone script,
to confirm that libmount could see the mountpoint:
bash4$ cat mount-test.c
/* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid
-I/usr/include/uuid -lmount */
/* bash4$ pkg-config --cflags --libs mount */
/* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount
*/
#include <libmount.h>
main()
{
struct libmnt_context *ctx;
struct libmnt_table *table;
struct libmnt_iter *iter;
struct libmnt_fs *fs;
const char *source, *target;
ctx = mnt_new_context();
if (ctx == NULL)
return -1;
if (mnt_context_get_mtab(ctx, &table) != 0)
goto out;
iter = mnt_new_iter(MNT_ITER_BACKWARD);
if (iter == NULL)
goto out;
while (mnt_table_next_fs(table, iter, &fs) == 0)
{
source = mnt_fs_get_source(fs);
target = mnt_fs_get_target(fs);
printf("source<%s> target<%s>\n",
source ?: "NULL",
target ?: "NULL");
}
out:
mnt_free_context(ctx);
return 0;
}
bash4$ cc mount-test.c $(pkg-config --cflags --libs mount)
bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out'
Warning: Permanently added 'het' (ECDSA) to the list of known hosts.
source<tmpfs> target</run/user/10242>
source<nfs:/home/prisoners/p> target</home/prisoners/p>
source<tmpfs> target</run/user/0>
source<nfs:/srv/share> target</srv/share>
source<tmpfs> target</lib/live/mount>
source<tmpfs> target</tmp>
source<tmpfs> target</var/tmp>
source<pstore> target</sys/fs/pstore>
source<cgroup> target</sys/fs/cgroup/systemd>
source<tmpfs> target</sys/fs/cgroup>
source<tmpfs> target</run/lock>
source<devpts> target</dev/pts>
source<tmpfs> target</dev/shm>
source<securityfs> target</sys/kernel/security>
source<devtmpfs> target</dev>
source<aufs> target</>
source<tmpfs> target</lib/live/mount/overlay>
source</dev/loop0> target</lib/live/mount/rootfs/filesystem.squashfs>
source<10.128.0.1:/srv/netboot/images> target</lib/live/mount/medium>
source<tmpfs> target</run>
source<proc> target</proc>
source<sysfs> target</sys>
The full pam_mount.conf.xml I used for these tests was:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="1" />
<volume fstype="nfs"
server="nfs"
path="~"
mountpoint="~"
options="nfsvers=3,intr,bg,nodev,noexec,nosuid">
<uid>1000-29999</uid>
</volume>
<mkmountpoint enable="1" remove="false" />
</pam_mount>
signature.asc
Description: PGP signature
