pammount not unmounting encrypted home on logout

Stef Bon stefbon at gmail.com
Mon Mar 26 08:41:35 UTC 2012 

HI,

well probably some app is still using the mount directory.

I've been working on constructions (and still do) which mount a
"Media" directory when a user logs in, and other constructions, like
the chroot and (re)mounting to turn the system into a GoboLinux like
system.

What I ran into is that still after logging out of KDE there are still
apps using the home directory. I had to make a construction which
kills these first, and then umounts.
Isn't it possible to do a lazy umount with pammount ??

I would never use the mounting directly. Better is a construction
which uses pamexec or pamscript which run scripts at auth, login and
logout. and create a construction  to run scripts in order, where you
have the ability to specify that the login process has to wait for
completion (something like systemd but then for usersessions)

Stef

2012/3/25 josh <jbuhl_nospam at gmx.net>:
> Hi,
>
> I have individually LUKS encrypted home dirs on my system which are
> mounted at login via pammount. I have one, maybe two problems that I am
> unable to track down, and which may be related.
>
> First of all, the encrypted dirs seem to be getting mounted twice when
> the user logs in. Here are the relevant lines in df output after login:
>
> /dev/mapper/_dev_sdb1 57690744 20835188 36269436 37% /home/josh
> /dev/sdb1 57690744 20835188 36269436 37% /home/josh
>
> Secondly, and most importantly, the encrypted home partitions are not
> being completely unmounted on logout. After logout, only one of the
> above has been unmounted, df reports:
>
> /dev/mapper/_dev_sdb1 57690744 20835284 36269340 37% /home/josh
>
>
> This also happens even if lsof doesn't report any open files for the
> user (a common cause of having the partion not unmounted, if memory
> serves...)
>
>
> The relevant line in /etc/security/pam_mount.conf.xml is:
>
> <volume user="josh" mountpoint="/home/josh"
> path="/dev/disk/by-uuid/967e7b41-b9cc-48f0-94e8-c2c3eb2a4dd0"
> fstype="crypt" />
>
> and this is the only reference to mounting this volume, i.e. no other
> mounting lines somewhere in fstab or crypttab. I use disk-by-uuid
> because udev does not always map the devices to the same letters, so
> the disk the above partition is on is not always sdb (also a known
> issue, again if memory serves...)
>
> I consider it a serious security problem if the encrypted dirs aren't
> automagically unmounted on logout, which at least partially defeats the
> whole purpose of having them to begin with.
>
> Any Ideas?
>
> cheers,
>
> -j
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list