[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.

Moritz Hassert mhassert at abm.de
Tue Jun 5 11:12:11 UTC 2012


Just checked sudo's behavior regarding the login count. It consistently
uses the user "root" before and after the given command:

[BEGIN OF LOG]
[sudo] password for USER: 
pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(pam_mount.c:614): no volumes to mount
command: 'pmvarrun' '-u' 'root' '-o' '1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:440): pmvarrun says login count is 1
pam_mount(pam_mount.c:645): done opening session (ret=0)
uid=0(root) gid=0(root) Gruppen=0(root)
pam_mount(pam_mount.c:691): received order to close things
pam_mount(pam_mount.c:693): No volumes to umount
command: 'pmvarrun' '-u' 'root' '-o' '-1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 1
pam_mount(pam_mount.c:440): pmvarrun says login count is 0
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
pam_mount(pam_mount.c:132): clean system authtok=0x151b270 (1073741824)
[END OF LOG]


@aldebx:
I can reproduce your problem with sudo in version 1.8.3p1-1ubuntu3.2:
My mount-line in /etc/security/pam_mount.conf.xml is limited to user "user=USER". If I change this to "user=root" or remove the limitation altogether, I get "reenter password for pam_mount" when running "sudo id". Can you confirm this is similar to your config?

Without such a change to my configs, you can see in the above sudo log
that pam_mount would like to mess with mounts too but can't because
there are none available for user root ("no volumes to mount").


So IMHO there are two different issues to address:

1. fixing sudo/sudoedit:
sudoedit's interaction with pam_mount regarding the user is bogus. It should be just like sudo does it. (Why is it different in the first place?)

2. fixing pam_mount:
- First, there are good reasons to run pam_mount from sudo: Consider a user cron job running "sudo foo" where the user is allowed (by /etc/sudoers) to run "sudo foo" without entering a password. The Command "foo" may need access to a certain partition. The partition may be mounted on-demand by pam_mount for various reasons (to save resources, ...).
- But there is absolutely no use in asking for a unlock password in this use case. So pam_mount should skip encrypted partitions if there is no way to ask for a password (This may already be the current behavior. I haven't tested it.)
- If there is an encrypted partition for user root available that is not yet mounted and we're in an interactive shell, ask for the password to unlock it. If root does not need the mount, then don't configure it this way.
- If a partition is already mounted by pam_mount, even because of another users login-session, pam_mount should not try to mount it again and therefore not ask for a password. It should keep track of unlocked and mounted partitions for this.
- pam_mount is too eager to unmount partitions. It should only unmount them when the login counts of _all_ affected users reach 0. Affected users are all those for which pam_mount would have tried to mount the partition on login.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/996806

Title:
  sudoedit triggers pam_mount to enquire the password of the encrypted
  partition, trying to mount it and later to umount it.

Status in User mounts:
  New
Status in “sudo” package in Ubuntu:
  In Progress

Bug description:
  I have sudo 1.8.3p1-1ubuntu3.1 from precise-proposed and I use
  pam_mount for mounting encrypted partitions at login. (LVM partitions,
  if that matters.)

  'sudoedit' command triggers pam_mount to enquire the password of the
  encrypted partition, trying to mount it and later to umount it.
  Mounting and umounting fails, because the encrypted partition is
  already mounted, unlocked and busy. The edited file is not changed
  rendering sudoedit useless.

  $ sudoedit test
  reenter password for pam_mount:
  pam_mount(mount.c:69): Messages from underlying mount program:
  pam_mount(mount.c:73): crypt_activate_by_passphrase: File exists
  pam_mount(pam_mount.c:521): mount of /dev/myvolumehere/mypartitionhere failed
  pam_mount(mount.c:69): umount messages:
  pam_mount(mount.c:73): umount: /mnt/mymountedpartition: device is busy.
  pam_mount(mount.c:73): (In some cases useful info about processes that use
  pam_mount(mount.c:73): the device is found by lsof(8) or fuser(1))
  pam_mount(mount.c:73): umount /mnt/mymountedpartition failed with run_sync status 1
  pam_mount(mount.c:73): umount: /mnt/mymountedpartition: device is busy.
  pam_mount(mount.c:73): (In some cases useful info about processes that use
  pam_mount(mount.c:73): the device is found by lsof(8) or fuser(1))
  pam_mount(mount.c:73): umount /mnt/mymountedpartition failed with run_sync status 1
  pam_mount(mount.c:752): unmount of /dev/myvolumehere/mypartitionhere failed

  If I edit the file "test", the tmp file "/var/tmp/test.XXN2W9z4" gets
  updated, but after exiting sudoedit, the actual file is not changed.
  The tmp file is removed after exiting.

  sudo (version 1.8.3p1-1ubuntu3.1) does not trigger this behavior, just sudoedit. If I clear the sudo timestamp:
  $ sudo -k
  $ sudoedit test
  [sudo] password for myusername: 
  pam_mount(mount.c:69): Messages from underlying mount program:
  [...the same errors...]

  If I donwgrade to version sudo=1.8.3p1-1ubuntu3, the sudoedit fails
  similarly, but appended with the known bug 927828:

  shell:~$ sudoedit test
  reenter password for pam_mount:
  pam_mount(mount.c:69): Messages from underlying mount program:
  pam_mount(mount.c:73): crypt_activate_by_passphrase: File exists
  pam_mount(pam_mount.c:521): mount of /dev/myvolumehere/mypartitionhere failed
  sudoedit: pam_mount.c:417: modify_pm_count: Assertion `user != ((void *)0)' failed.
  Aborted
  shell:~$ ls test
  ls: cannot access test: No such file or directory

  So sudoedit was unusable also with the old version.

  The workaround is to edit files using "sudo vim (file)"

  $ lsb_release -rd
  Description:    Ubuntu 12.04 LTS
  Release:        12.04

  sudo:
    Installed: 1.8.3p1-1ubuntu3.1

  /$ cat /etc/pam.d/sudo
  #%PAM-1.0
  @include common-auth
  @include common-account
  @include common-session-noninteractive

  $ grep pam_mount /etc/pam.d/common-*
  /etc/pam.d/common-auth:auth     optional        pam_mount.so 
  /etc/pam.d/common-session:session       optional        pam_mount.so 
  /etc/pam.d/common-session-noninteractive:session        optional        pam_mount.so 

  Hence, pam_mount.so is in both common-auth and common-session-
  noninteractive. However, sudo does not have this problem, only
  sudoedit.

  File /etc/security/pam_mount.conf.xml:

  <?xml version="1.0" encoding="utf-8" ?>
  <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
  <pam_mount>
  <debug enable="0" />
  <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
  <mntoptions require="nosuid,nodev" />
  <logout wait="0" hup="0" term="0" kill="0" />
  <mkmountpoint enable="1" remove="true" />
  <volume user="myusername" fstype="crypt" path="/dev/myvolumehere/mypartitionhere" mountpoint="/mnt/mymountedpartition" />
  </pam_mount>

To manage notifications about this bug go to:
https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions




More information about the foundations-bugs mailing list