On Thu, Apr 07, 2011 at 10:21:34AM +0300, Gill Bates wrote: > On Wed, Apr 6, 2011 at 4:58 PM, Agustin Martin <agmar...@debian.org> wrote: > > > On Tue, Apr 05, 2011 at 11:48:55PM +0300, uri wrote: > > > Package: libpam-encfs > > > Version: 0.1.4.4-2 > > > Severity: important > > > > > > For some reason encfs directory failed umount on logout. > > > auth.log only contains next message: > > > pam_encfs[11974]: exitcode : 1, errorstring : > > > > pam-encfs now implements an idle option to care about removals, and I > > vaguely think he seems to prefer it. Does the problem still appears > > if you put a line > > > > encfs_default --idle=1 > > > > in your /etc/security/pam_encfs.conf file? That means that encfs dir will > > be > > unmounted after 1 minute iddletime. > > > Hello Augustin, > > Thank you for quick response. > > Unfortunately, I find that as unacceptable solution, as it is still > possible to get access to encrypted directory under another user during the > timeout, and prevent umount at all. As you can see this might be a > serious security issue. > > > > Old option modifying /etc/pam.d/common-auth will still work, but you then > > need to manually handle that file instead of letting pam-auth-update > > automatically regenerate. Also, you can re-add the session stanza to > > /etc/pam.d/common-auth, but make sure to put it outside the automatically > > handled common block. > > > > During upgrade pam-auth-update should have asked you about what to do and > > offered the possibility of manually handling it if you did manual changes. > > > Well, manual common-auth handling is not a problem. Could you kindly give > some > instructions to make umount possible. There is not a lot of information in > the > internet dedicated to pam_enfs. In fact, all manuals I was able to find, > contains options > I already have in my pam config.
I have just uploaded a new package with more explicit information about the reasons for the default option and about how to override it, together with a NEWS file. If you track unstable it will be available tomorrow. In case you track testing, relevant sections are >From new README.Debian: ======================= To handle automatic umount of encfs volume on end of session, two methods are available, * In "/etc/security/pam_encfs.conf", pass an idle=X option to encfs (where X stands for minutes) to have encfs volume umounted after X minutes idle * Umount immediately by adding to "/etc/pam.d/common-session" a line session required pam_encfs.so This will umount encfs immediately after session end. Since this last method unconditionally affects all users, makes idle a no-op for use under libpam-encfs and cannot be reverted by modifying files under "/etc", libpam-encfs does not provide an snippet for automatic handling of "/etc/pam.d/common-session". If this last was previously enabled, it may have disappeared and get disabled when upgrading pam and libpam-encfs to use pam-auth-update, if automatic mode is selected. If you want to keep that behavior, so encfs volume is unconditionally umounted immediately on session end (Remember that it sets that option for all users and makes idle a no-op for use under libpam-encfs) you need to manually edit "/etc/pam.d/common-session" and put above session stanza *outside* the automatically generated block. This will enable this method for all password based login systems. If you want to enable it only for some of them, you will need to modify only relevant entries under /etc/pam.d. Comments are welcome. Thanks for your collaboration Regards, -- Agustin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
