[Bug 117736] Re: pam_mount unable to unmount needs root priv

Dirk Moermans dirkmoermans at gmail.com
Sun Jun 5 11:09:35 UTC 2011 

The bug is still present in 11.04.

pam_mount(spawn.c:128): error setting uid to 0
pmvarrun(pmvarrun.c:457): could not unlink /var/run/pam_mount/sec: Permission denied
pam_mount(spawn.c:128): error setting uid to 0
pam_mount(mount.c:68): umount messages:
pam_mount(mount.c:72): umount: only root can unmount /dev/sda8 from /home/sec
pam_mount(mount.c:724): unmount of /dev/sda8 failed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/117736

Title:
  pam_mount unable to unmount needs root priv

Status in Pluggable Authentication Modules:
  In Progress
Status in “libpam-mount” package in Ubuntu:
  Confirmed
Status in “openssh” package in Ubuntu:
  Fix Released
Status in “pam” package in Ubuntu:
  Invalid
Status in “shadow” package in Ubuntu:
  New
Status in Debian GNU/Linux:
  Fix Released

Bug description:
  Binary package hint: libpam-mount

  From pam_mount developer Jan Engelhard sourceforge mailing list:
  "pam_mount *needs* the root privileges, but Ubuntu's PAM configuration
  decided to throw them away after the login sequence completed."

  From Ubuntu Feisty Fawn user Kalisto:

  "When using loopback encrypted file systems this is a security issue, user logs out but the device is not umounted!!
  Without pam_mount debug option set this is not immediately apparent to the user!

  I have followed the instructions on: http://felipe-
  alfaro.org/blog/2006/08/19/encrypted-home-on-ubuntu-using-cryptoloop/

  To create a loopback encrypted home directory with pam_mount.
  The dir mounts ok and seemes to work however on logout I get " error setting uid to 0"
  lsof -n | grep /home/crypto comes up empty.

  I have included a pam_mount debug output for the login and logout process:
  For easier viewing: http://rafb.net/p/HLVzwm40.nln.html

  user at trinity:su crypto
  pam_mount(pam_mount.c:461) pam_sm_open_session: real uid/gid=0:1001, effective uid/gid=0:1001
  pam_mount(readconfig.c:418) checking sanity of volume record (/home/crypto.img)
  pam_mount(pam_mount.c:476) about to perform mount operations

  pam_mount(mount.c:368) information for mount:
  pam_mount(mount.c:369) ----------------------
  pam_mount(mount.c:370) (defined by globalconf)
  pam_mount(mount.c:373) user:          crypto
  pam_mount(mount.c:374) server:        

  pam_mount(mount.c:375) volume:        /home/crypto.img
  pam_mount(mount.c:376) mountpoint:    /home/crypto
  pam_mount(mount.c:377) options:       loop,user,exec,encryption=aes,keybits=128
  pam_mount(mount.c:378) fs_key_cipher: aes-128-ecb

  pam_mount(mount.c:379) fs_key_path:   /home/crypto.key
  pam_mount(mount.c:380) use_fstab:   0
  pam_mount(mount.c:381) ----------------------
  pam_mount(mount.c:177) realpath of volume "/home/crypto" is "/home/crypto"

  pam_mount(mount.c:182) checking to see if /home/crypto.img is already mounted at /home/crypto
  pam_mount(mount.c:755) /home/crypto.img already seems to be mounted at /home/crypto, skipping
  pam_mount(pam_mount.c:123) clean system authtok (0)

  pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [crypto] [-o] [1] 
  pam_mount(misc.c:341) set_myuid(pre): real uid/gid=0:1001, effective uid/gid=0:1001
  pam_mount(misc.c:376) set_myuid(post): real uid/gid=0:1001, effective uid/gid=0:1001

  pam_mount(pam_mount.c:360) pmvarrun says login count is 3
  pam_mount(pam_mount.c:493) done opening session
  pam_mount(pam_mount.c:106) Clean global config (0)
   
  ===========================================================================

  crypto at trinity:exit
   
  exit
  pam_mount(pam_mount.c:535) received order to close things
  pam_mount(pam_mount.c:536) real and effective user ID are 1001 and 1001.
  pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [crypto] [-o] [-1] 

  pam_mount(misc.c:341) set_myuid(pre): real uid/gid=1001:1001, effective uid/gid=1001:1001
  pam_mount(misc.c:346) error setting uid to 0
  pam_mount(pam_mount.c:360) pmvarrun says login count is 2
  pam_mount(pam_mount.c:564) crypto seems to have other remaining open sessions

  pam_mount(pam_mount.c:569) pam_mount execution complete
  pam_mount(pam_mount.c:535) received order to close things
  pam_mount(pam_mount.c:536) real and effective user ID are 1001 and 1001.
  pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [crypto] [-o] [-1] 

  pam_mount(misc.c:341) set_myuid(pre): real uid/gid=1001:1001, effective uid/gid=1001:1001
  pam_mount(misc.c:346) error setting uid to 0
  pam_mount(pam_mount.c:360) pmvarrun says login count is 1
  pam_mount(pam_mount.c:564) crypto seems to have other remaining open sessions

  pam_mount(pam_mount.c:569) pam_mount execution complete
  pam_mount(pam_mount.c:106) Clean global config (0)
   
  ===========================================================================
  Entry in /etc/security/pam_mount.conf

   
  volume crypto auto - /home/crypto.img /home/crypto loop,user,exec,encryption=aes,keybits=128 aes-128-ecb /home/crypto.key

  /Kalisto"

More information about the foundations-bugs mailing list