Your message dated Fri, 13 Apr 2018 09:58:52 +0200
with message-id <20180413075852.GL21524@vis>
and subject line [jspri...@debian.org: Accepted libpam-mount 2.16-5 (source) 
into unstable]
has caused the Debian Bug report #627085,
regarding pmt_already_mounted() broken when server="nfs"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
627085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627085
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-mount
Version: 2.14-1.1
Severity: minor

1. libpam_mount considers something "already mounted" if it can find a
   mount in libmount's iterator where both the source (device) and
   target (mountpoint) match.

   This is the code responsible:
     libpam-mount/src/mount.c:149:pmt_already_mounted()
     libpam-mount/src/mount.c:125:pmt_utabent_matches()


THE PROBLEM
====================

2. If pam_mount.conf.xml has

     <volume fstype="nfs" server="nfs" path="~" mountpoint="~" options="...">

   then "already mounted?" fails because it compares nfs:/home/prisoners/p to 
/home/prisoners/p.  I think.

     command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/prisoners/p' '/home/prisoners/p'
     (mount.c:72): Messages from underlying mount program:
     (mount.c:76): mount.nfs: access denied by server while mounting (null)

   The odd error from mount.nfs is because nfs:/home is root_squash and user 
nobody can't read it:

     # mkdir x y
     # mount -tnfs nfs:/home x
     # mount -tnfs nfs:/home x
     mount.nfs: /root/x is busy or already mounted
     # mount -tnfs nfs:/home/prisoners/p y
     # mount -tnfs nfs:/home/prisoners/p y
     mount.nfs: access denied by server while mounting (null)
     # ls -ld x y
     drwxr-x--x  8 root root 1024 Nov 12  2014 x
     drwx------ 13 p    p    4096 Sep 22 12:35 y
     # ls -ld x/prisoners
     drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners


WORKAROUNDS DON'T WORK
==============================

3. If pam_mount.conf.xml has

     <volume fstype="nfs" path="nfs:~" mountpoint="~" options="...">

   then mounting fails because the nfs:~ is not expanded.

     command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~' 
'/home/prisoners/p'
     (mount.c:72): Messages from underlying mount program:
     (mount.c:76): mount.nfs: access denied by server while mounting nfs:~

4. If pam_mount.conf.xml has

     <volume fstype="nfs" path="nfs:/home/prisoners/p" mountpoint="~" 
options="...">

   then mounting & detection both work:

     (mount.c:628): nfs:/home/prisoners/p already seems to be mounted at 
/home/prisoners/p, skipping

   ...but now I have to list every user's login individually, which is not 
feasible.

5. If pam_mount.conf.xml has

     <volume fstype="nfs" path="nfs:/home/prisoners/%(USER)" mountpoint="~" 
options="...">

   the source is wrong path for staff users.

   Constructing $HOME from $USER also fails for setups like
     ~ajking2 ==> /home/students/a/j/ajking2/
   which used to be common in large universities.

   I could probably get away with this, but it feels awful:

     <volume group="prisoners" fstype="nfs" path="nfs:/home/prisoners/%(USER)" 
mountpoint="~" options="...">
     <volume group="staff"     fstype="nfs" path="nfs:/home/staff/%(USER)"     
mountpoint="~" options="...">


IMPACT
====================

This is not an immediate problem for me,
because the duplicate mount fails & the login succeeds.

But!  If the *first* mount fails (e.g. when NFS is down),
the user get a working login with $HOME on the local root filesystem.

If I fix that by making PAM abort when the mount fails,
the problem in pmt_utabent_matches() will break the user's second
concurrent login (e.g. GUI desktop + ssh).


I'm too dumb to see exactly how to patch this,
but I hope it's a one-line change. :-)



POSTSCRIPT
====================

I pulled out pmt_already_mounted() into the following stand-alone script,
to confirm that libmount could see the mountpoint:

    bash4$ cat mount-test.c
    /* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid 
-I/usr/include/uuid -lmount */

    /* bash4$ pkg-config --cflags --libs mount */
    /* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount 
 */

    #include <libmount.h>

    main()
    {
      struct libmnt_context *ctx;
      struct libmnt_table *table;
      struct libmnt_iter *iter;
      struct libmnt_fs *fs;
      const char *source, *target;

      ctx = mnt_new_context();
      if (ctx == NULL)
        return -1;
      if (mnt_context_get_mtab(ctx, &table) != 0)
        goto out;
      iter = mnt_new_iter(MNT_ITER_BACKWARD);
      if (iter == NULL)
        goto out;

      while (mnt_table_next_fs(table, iter, &fs) == 0)
        {
          source = mnt_fs_get_source(fs);
          target = mnt_fs_get_target(fs);
          printf("source<%s> target<%s>\n",
                 source ?: "NULL",
                 target ?: "NULL");
        }
     out:
      mnt_free_context(ctx);
      return 0;
    }

    bash4$ cc mount-test.c $(pkg-config --cflags --libs mount)

    bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out'
    Warning: Permanently added 'het' (ECDSA) to the list of known hosts.
    source<tmpfs> target</run/user/10242>
    source<nfs:/home/prisoners/p> target</home/prisoners/p>
    source<tmpfs> target</run/user/0>
    source<nfs:/srv/share> target</srv/share>
    source<tmpfs> target</lib/live/mount>
    source<tmpfs> target</tmp>
    source<tmpfs> target</var/tmp>
    source<pstore> target</sys/fs/pstore>
    source<cgroup> target</sys/fs/cgroup/systemd>
    source<tmpfs> target</sys/fs/cgroup>
    source<tmpfs> target</run/lock>
    source<devpts> target</dev/pts>
    source<tmpfs> target</dev/shm>
    source<securityfs> target</sys/kernel/security>
    source<devtmpfs> target</dev>
    source<aufs> target</>
    source<tmpfs> target</lib/live/mount/overlay>
    source</dev/loop0> target</lib/live/mount/rootfs/filesystem.squashfs>
    source<10.128.0.1:/srv/netboot/images> target</lib/live/mount/medium>
    source<tmpfs> target</run>
    source<proc> target</proc>
    source<sysfs> target</sys>

The full pam_mount.conf.xml I used for these tests was:

    <?xml version="1.0" encoding="utf-8" ?>
    <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
    <pam_mount>
      <debug enable="1" />
      <volume fstype="nfs"
              server="nfs"
              path="~"
              mountpoint="~"
              options="nfsvers=3,intr,bg,nodev,noexec,nosuid">
        <uid>1000-29999</uid>
      </volume>
      <mkmountpoint enable="1" remove="false" />
    </pam_mount>

--- End Message ---
--- Begin Message ---
----- Forwarded message from Jochen Sprickerhof <jspri...@debian.org> -----

Date: Thu, 12 Apr 2018 17:51:57 +0000
To: debian-devel-chan...@lists.debian.org
From: Jochen Sprickerhof <jspri...@debian.org>
Subject: Accepted libpam-mount 2.16-5 (source) into unstable

Format: 1.8
Date: Thu, 12 Apr 2018 19:29:03 +0200
Source: libpam-mount
Binary: libpam-mount
Architecture: source
Version: 2.16-5
Distribution: unstable
Urgency: medium
Maintainer: Jochen Sprickerhof <jspri...@debian.org>
Changed-By: Jochen Sprickerhof <jspri...@debian.org>
Description:
libpam-mount - PAM module that can mount volumes for a user session
Changes:
libpam-mount (2.16-5) unstable; urgency=medium
.
  * Upload to unstable.
Checksums-Sha1:
f3346de2a4db56a7b992ee4e64653c3a3f7c4b6a 2035 libpam-mount_2.16-5.dsc
de0f92c4584e1ba8f3e9d4e30ae731fe41f2239c 28164 libpam-mount_2.16-5.debian.tar.xz
353ae563171aea5c0937b735dfca777700e31f22 5830 
libpam-mount_2.16-5_source.buildinfo
Checksums-Sha256:
f94b862dd63cd0f0cb7b3c656584df73aa3cb7d31aa8a178586bcbb7df2df741 2035 
libpam-mount_2.16-5.dsc
42ea83dbca076bedcf9e37b3b24d0dad73aaf69cd3186301a69de5b8d33db1b0 28164 
libpam-mount_2.16-5.debian.tar.xz
9023fc1ce120d8a2925e44e360df3c7a8d64f4254d8b2f4803eb4eaa877777bb 5830 
libpam-mount_2.16-5_source.buildinfo
Files:
656efc8641dbd2e25c5d5c1b0299f4d1 2035 admin optional libpam-mount_2.16-5.dsc
e2e4137472a4e41e1939677471d08759 28164 admin optional 
libpam-mount_2.16-5.debian.tar.xz
763fd31d812fc92b4b07dd0a4799b78b 5830 admin optional 
libpam-mount_2.16-5_source.buildinfo


----- End forwarded message -----

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to