On Thu, Apr 07, 2011 at 10:21:34AM +0300, Gill Bates wrote: > On Wed, Apr 6, 2011 at 4:58 PM, Agustin Martin <[email protected]> wrote: > > > On Tue, Apr 05, 2011 at 11:48:55PM +0300, uri wrote: > > > Package: libpam-encfs > > > Version: 0.1.4.4-2 > > > Severity: important
Thanks or the reply, Please, keep always [email protected] in the reply list, so discussion gets stored. Actual reply goes below. Hi, pam maintainers, I am cc'ing you for your POV about the possibility of a package shipping alternative entries for /usr/share/pam-configs, see below. That is not my currently preferred option, but would like to know your opinion first. Previous info, libpam-encfs needed /etc/pam.d/common-auth modification. This is already managed automatically by means of pam-auth-update. There is also common-session. There are two ways of unmounting encrypted volume, using idle option so it is unmounted after Xmin idle or adding a session line. The second disables the first. So, session line may or may not be added to common-session. If wanting to do this automatically two alternative snippets may be used, and I would like to know if something like this has been considered and your opinion about that possibility. Thanks in advance for your comments. > > > For some reason encfs directory failed umount on logout. > > > auth.log only contains next message: > > > pam_encfs[11974]: exitcode : 1, errorstring : > > > > pam-encfs now implements an idle option to care about removals, and I > > vaguely think he seems to prefer it. Does the problem still appears > > if you put a line > > > > encfs_default --idle=1 > > > > in your /etc/security/pam_encfs.conf file? That means that encfs dir will > > be > > unmounted after 1 minute iddletime. > > > Hello Augustin, > > Thank you for quick response. > > Unfortunately, I find that as unacceptable solution, as it is still > possible to get access to encrypted directory under another user during the > timeout, and prevent umount at all. As you can see this might be a > serious security issue. That will also happen when mounted if you give access to other users to the encrypted directory (e.g., use fuse allow_other option) or to root (fuse allow_root option). If none of those options are specified neither other users nor root can access the encrypted directory at any time. That is previous to the normal directory permissions. I however agree that session behavior should also be a clearly documented option. > > Old option modifying /etc/pam.d/common-auth will still work, but you then > > need to manually handle that file instead of letting pam-auth-update > > automatically regenerate. Also, you can re-add the session stanza to > > /etc/pam.d/common-auth, but make sure to put it outside the automatically > > handled common block. > > > > During upgrade pam-auth-update should have asked you about what to do and > > offered the possibility of manually handling it if you did manual changes. > > > Well, manual common-auth handling is not a problem. Could you kindly give > some instructions to make umount possible. There is not a lot of information > in the internet dedicated to pam_enfs. In fact, all manuals I was able to > find, contains options I already have in my pam config. Most of them are for ancient versions and AFAIK none contains anything about pam-auth-update integration. I think I should have added a NEWS.Debian explaining the change and how to enable old behavior if desired. Auto file was based on suggestion in https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/287904 but with password (causes some problems) and session (unconditionally disabled idle option) removed. I think for this package the above should be enough, together with better documenting this in README.Debian, so this bug can be closed with that. Other solutions will need to have alternative entries for /usr/share/pam-configs, handled by symlinks driven by either update-alternatives or by a debconf question and document very well that enabling session part will make in practice idle option a no-op. I am speaking about two variants, with and without session entries enabled, -- 8< ----- Only auth Name: encfs encrypted home directories Default: yes Priority: 257 Auth-Type: Primary Auth: sufficient pam_encfs.so Auth-Initial: sufficient pam_encfs.so -- 8< ----- End only auth --8< ------ Auth and Session Name: encfs encrypted home directories Default: yes Priority: 257 Auth-Type: Primary Auth: sufficient pam_encfs.so Auth-Initial: sufficient pam_encfs.so Session-Type: Additional Session: Session-Initial: -- 8< ----- End of Auth and Session and that is why I am cc'ing pam maintainers for advice in case this possibility has already been considered. I currently prefer the NEWS.Debian way because lets sysadmin know better what is done and why, nmanual change can be properly commented. Thanks for your help, Regards, -- Agustin -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
