pam_mount unable to unmount needs root priv
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PAM |
In Progress
|
Unknown
|
|||
Debian |
Fix Released
|
Unknown
|
|||
libpam-mount (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
shadow (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: libpam-mount
From pam_mount developer Jan Engelhard sourceforge mailing list:
"pam_mount *needs* the root privileges, but Ubuntu's PAM configuration
decided to throw them away after the login sequence completed."
From Ubuntu Feisty Fawn user Kalisto:
"When using loopback encrypted file systems this is a security issue, user logs out but the device is not umounted!!
Without pam_mount debug option set this is not immediately apparent to the user!
I have followed the instructions on: http://
To create a loopback encrypted home directory with pam_mount.
The dir mounts ok and seemes to work however on logout I get " error setting uid to 0"
lsof -n | grep /home/crypto comes up empty.
I have included a pam_mount debug output for the login and logout process:
For easier viewing: http://
user@trinity:su crypto
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
=======
crypto@trinity:exit
exit
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
pam_mount(
=======
Entry in /etc/security/
volume crypto auto - /home/crypto.img /home/crypto loop,user,
/Kalisto"
Changed in libpam-mount: | |
status: | Incomplete → New |
Changed in pam: | |
status: | Unknown → In Progress |
Changed in openssh: | |
status: | New → Confirmed |
Changed in openssh (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in shadow (Ubuntu): | |
status: | New → Confirmed |
no longer affects: | pam (Ubuntu) |
Confirmed!
>Dameon Wagner schrieb: misc.c: 264) command: /usr/local/ sbin/pmvarrun [-u] [tester] misc.c: 341) set_myuid(pre): real uid/gid=1004:1004, misc.c: 346) error setting uid to 0 pam_mount. c:360) pmvarrun says login count is 1
>> pam_mount(
>> [-o] [-1]
>> pam_mount(
>> effective uid/gid=1004:1004
>> pam_mount(
>> pam_mount(
>Before unmount, the login count must be zero, not 1. This is the reason
>pam_mount does no unmount.
But the problem is that the effective gid is not 0 anymore. I think this
privilegue-dropping is a bug ('feature gone wrong') in ubuntu.
>To reset the login count, remove the file /var/run/ pam_mount/ $USER. Then user@li. .. /lists. sourceforge. net/lists/ listinfo/ pam-mount- user
>a login as $USER should increase the value in this file to one, and the
>logout decreases it again to zero. Then the volumes will be unmounted.
>
>Regards,
> Bastian
>pam-mount-user mailing list
>pam-mount-
>https:/
>