[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.

Moritz Hassert mhassert at abm.de
Tue Jun 5 10:14:25 UTC 2012 

Hi, I'm affected too and would like to provide some additional
information:

I suspect this bug is not caused by _how often_ pam_mount is called but rather a mixup of the user it is run under.
When running sudoedit, before the editor component is started, pam_mount always tries to mount the partition. So while the editor is shown, the partition is always mounted. Either because it has been mounted before or because it got mounted here.
pam_mount also increases the login-count of the normal user (not root!) issuing the sudoedit command.
After you close the editor pam_mount decreases the login count for root (not the above user!) and as there are no counted logins for root, it always decides to unmount the partition. So after sudoedit is finished the partition is always unmounted regardless of its state before running sudoedit. So after using sudoedit for the first time after kdm/whatever login the mount is gone.

It seems to me, sudoedit is opening a new session for user $USER but
then closing one for user "root".

See the following log produced with  pam_mount debugging enabled:
[BEGIN OF LOG]
USER at USER:~$ cat /var/run/pam_mount/USER
0x3

USER at USER:~$ LC_ALL=C sudoedit foo
[sudo] password for USER: 
pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=0/2000, e=0/2000)
pam_mount(mount.c:218): Mount info: globalconf, user=USER <volume fstype="crypt" server="(null)" path="/dev/disk/by-uuid/UUID_OF_LUKS_PARTITION" mountpoint="/media/data" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="fsck,acl,user_xattr,relatime" /> fstab=0 ssh=0
command: 'mount' '-t' 'crypt' '-ofsck,acl,user_xattr,relatime' '/dev/disk/by-uuid/UUID_OF_LUKS_PARTITION' '/media/data' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
  [... pam_mount(misc.c:380): ... [List of all previously active mounts ...]
  [the newly mounted partition:]
pam_mount(misc.c:380): 21 20 252:5 / /media/data rw,relatime - ext4 /dev/mapper/_dev_dm_2 rw,user_xattr,acl,barrier=1,data=ordered
command: 'pmvarrun' '-u' 'USER' '-o' '1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 3
pam_mount(pam_mount.c:440): pmvarrun says login count is 4
pam_mount(pam_mount.c:645): done opening session (ret=0)
Processing '/etc/joe/editorrc'...Processing '/etc/joe/ftyperc'...done
done

  [... editor opens. close it without saving ...]

File /var/tmp/foo.XXOuqivj not changed so no update needed
pam_mount(pam_mount.c:691): received order to close things
pam_mount(misc.c:38): Session close: (ruid/rgid=0/2000, e=0/2000)
command: 'pmvarrun' '-u' 'root' '-o' '-1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:438): error reading login count from pmvarrun
pam_mount(mount.c:749): going to unmount
pam_mount(mount.c:218): Mount info: globalconf, user=USER <volume fstype="crypt" server="(null)" path="/dev/disk/by-uuid/UUID_OF_LUKS_PARTITION" mountpoint="/media/data" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="fsck,acl,user_xattr,relatime" /> fstab=0 ssh=0
command: 'pmt-ofl' '-k0' '/media/data' 
command: 'umount' '/media/data' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
pam_mount(pam_mount.c:132): clean system authtok=0x14bbd70 (1073741824)
sudoedit: foo unchanged

USER at USER:~$ cat /var/run/pam_mount/USER
0x4
[END OF LOG]

One can see that "pmvarrun" is run with different user names before and
after the editor.

By the way: Whether sudoedit is called for the first time requiring a
password or with cached password does not change anything, except for
the prompt "reenter password for pam_mount:" instead of the sudo
password prompt right at the start.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/996806

Title:
  sudoedit triggers pam_mount to enquire the password of the encrypted
  partition, trying to mount it and later to umount it.

Status in User mounts:
  New
Status in “sudo” package in Ubuntu:
  In Progress

Bug description:
  I have sudo 1.8.3p1-1ubuntu3.1 from precise-proposed and I use
  pam_mount for mounting encrypted partitions at login. (LVM partitions,
  if that matters.)

  'sudoedit' command triggers pam_mount to enquire the password of the
  encrypted partition, trying to mount it and later to umount it.
  Mounting and umounting fails, because the encrypted partition is
  already mounted, unlocked and busy. The edited file is not changed
  rendering sudoedit useless.

  $ sudoedit test
  reenter password for pam_mount:
  pam_mount(mount.c:69): Messages from underlying mount program:
  pam_mount(mount.c:73): crypt_activate_by_passphrase: File exists
  pam_mount(pam_mount.c:521): mount of /dev/myvolumehere/mypartitionhere failed
  pam_mount(mount.c:69): umount messages:
  pam_mount(mount.c:73): umount: /mnt/mymountedpartition: device is busy.
  pam_mount(mount.c:73): (In some cases useful info about processes that use
  pam_mount(mount.c:73): the device is found by lsof(8) or fuser(1))
  pam_mount(mount.c:73): umount /mnt/mymountedpartition failed with run_sync status 1
  pam_mount(mount.c:73): umount: /mnt/mymountedpartition: device is busy.
  pam_mount(mount.c:73): (In some cases useful info about processes that use
  pam_mount(mount.c:73): the device is found by lsof(8) or fuser(1))
  pam_mount(mount.c:73): umount /mnt/mymountedpartition failed with run_sync status 1
  pam_mount(mount.c:752): unmount of /dev/myvolumehere/mypartitionhere failed

  If I edit the file "test", the tmp file "/var/tmp/test.XXN2W9z4" gets
  updated, but after exiting sudoedit, the actual file is not changed.
  The tmp file is removed after exiting.

  sudo (version 1.8.3p1-1ubuntu3.1) does not trigger this behavior, just sudoedit. If I clear the sudo timestamp:
  $ sudo -k
  $ sudoedit test
  [sudo] password for myusername: 
  pam_mount(mount.c:69): Messages from underlying mount program:
  [...the same errors...]

  If I donwgrade to version sudo=1.8.3p1-1ubuntu3, the sudoedit fails
  similarly, but appended with the known bug 927828:

  shell:~$ sudoedit test
  reenter password for pam_mount:
  pam_mount(mount.c:69): Messages from underlying mount program:
  pam_mount(mount.c:73): crypt_activate_by_passphrase: File exists
  pam_mount(pam_mount.c:521): mount of /dev/myvolumehere/mypartitionhere failed
  sudoedit: pam_mount.c:417: modify_pm_count: Assertion `user != ((void *)0)' failed.
  Aborted
  shell:~$ ls test
  ls: cannot access test: No such file or directory

  So sudoedit was unusable also with the old version.

  The workaround is to edit files using "sudo vim (file)"

  $ lsb_release -rd
  Description:    Ubuntu 12.04 LTS
  Release:        12.04

  sudo:
    Installed: 1.8.3p1-1ubuntu3.1

  /$ cat /etc/pam.d/sudo
  #%PAM-1.0
  @include common-auth
  @include common-account
  @include common-session-noninteractive

  $ grep pam_mount /etc/pam.d/common-*
  /etc/pam.d/common-auth:auth     optional        pam_mount.so 
  /etc/pam.d/common-session:session       optional        pam_mount.so 
  /etc/pam.d/common-session-noninteractive:session        optional        pam_mount.so 

  Hence, pam_mount.so is in both common-auth and common-session-
  noninteractive. However, sudo does not have this problem, only
  sudoedit.

  File /etc/security/pam_mount.conf.xml:

  <?xml version="1.0" encoding="utf-8" ?>
  <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
  <pam_mount>
  <debug enable="0" />
  <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
  <mntoptions require="nosuid,nodev" />
  <logout wait="0" hup="0" term="0" kill="0" />
  <mkmountpoint enable="1" remove="true" />
  <volume user="myusername" fstype="crypt" path="/dev/myvolumehere/mypartitionhere" mountpoint="/mnt/mymountedpartition" />
  </pam_mount>

To manage notifications about this bug go to:
https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions

More information about the foundations-bugs mailing list