control: tag -1 moreinfo control: severity -1 normal Hi Paul,
* Paul Leiber <[email protected]> [2026-03-03 13:07]:
On a workstation PC running Debian Trixie, I have configured pam-mount so that it mounts some samba shares with user data at login. That is working well for a single user. However, I noticed that after logging out as a specific user A and then logging in as another user B, the mounts from user A still exist (and vice versa). This is of course not acceptable for several reasons (e.g. privacy, security).
This is not a privacy or security issue as other uses can log in at the same time to see the mounts. Thus downgrading severity.
I found some ancient bug reports [1] where pam was not able to use root rights and therefore couldn't unmount the volumes. I am pretty sure that this is not the case here, as the bug was fixed long ago and I don't see this specific log entry on my system.
Nit: reference missing.
I found several bugs in the Debian pam-mount package describing unmount not happening, but with other symptoms. In one of the reports, changing the "logout"-line in /etc/security/pam_mount.conf.xml from <logout wait="0" hup="0" term="0" kill="0" /> to <logout wait="2000" hup="0" term="1" kill="1"/> solved a similar issue. I changed this config line, but without a noticable effect. What I noticed in the pam-mount logs while digging deeper was a line saying that "user A seems to have other remaining open sessions". I then checked the session tracker in /var/run/pam_mount/, and the numbers there don't seem to be correct. After the first login of user A to a desktop, the value stored in "/var/run/pam_mount/user A" is 0x1. After logging out, it is 0x2. With each new login, the number is increased by 1 after login and by 1 after logout. With the help from Debian user mailing list, I executed strace -f -s 10000 -e execve -p $(pidof login | tr ' ' ,) -o /tmp/strace_login before login and logout. It gives the following output:
For reference: https://lists.debian.org/debian-user/2026/03/msg00015.html
For login:
9414 execve("/usr/sbin/pmvarrun", ["/usr/sbin/pmvarrun", "-u", "xxx"],
0x55ec223822c0 /* 11 vars */) = 0
For logout:
9483 execve("/usr/sbin/pmvarrun", ["/usr/sbin/pmvarrun", "-u", "xxx"],
0x55ec223822c0 /* 17 vars */) = 0
The results indicate that instead of decreasing the count at logout using
arguments '-o' '-1', the count is increased by the default value. Thus, the
session counter never reaches 0 and this prevents unmount.
I can't reproduce this. What I tried: debvm-create -k ~/.ssh/id_ed25519.pub -r trixie -- \ --hook-dir=/usr/share/mmdebstrap/hooks/useradd \ --include=libpam-mount,libpam-mount-bin \ --customize-hook='truncate -s100M $1/image.img; mkfs.ext4 $1/image.img; sed -i \'$ i <volume path="/image.img" mountpoint="/mnt" user="user" />\' $1/etc/security/pam_mount.conf.xml' debvm-run -s 2222 In a new terminal: ssh -p 2222 user@localhost sleep 5 In the debvm-run terminal: Debian GNU/Linux 13 testvm ttyS0 testvm login: root (automatic login) pam_mount password:[ 2.667557] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer [ 2.690571] cryptd: max_cpu_qlen set to 1000 [ 2.754126] AES CTR mode by8 optimization enabled Linux testvm 6.12.73+deb13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.73-1 (2026-02-17) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@testvm:~# [ 6.399162] loop: module loaded [ 6.400183] loop0: detected capacity change from 0 to 204800 [ 6.405868] EXT4-fs (loop0): mounted filesystem 622fd4f2-5408-4187-907c-a7244c13fd25 r/w with ordered data mode. Quota mode: none. root@testvm:~# awk 1 /run/pam_mount/user # while the user is logged in 0x1 root@testvm:~# [ 14.870179] EXT4-fs (loop0): unmounting filesystem 622fd4f2-5408-4187-907c-a7244c13fd25. root@testvm:~# awk 1 /run/pam_mount/user # after the logout awk: cannot open "/run/pam_mount/user" (No such file or directory)Also from the source code it is pretty clear that pmvarrun is run with -o -1. Can you please provide a reproducer?
Cheers Jochen
signature.asc
Description: PGP signature
