Re: Encrypted home and pam_mount
On 05/03/2024 03:37, Andrey Dogadkin wrote: On Sun, 2024-03-03 at 21:27 +0700, Max Nikulin wrote: https://github.com/systemd/systemd/issues/8598#issuecomment-376845082 "systemd-user doesn't properly close its PAM session" I saw that issue and it didn't strike me as related to my case, pam_mount works fine as long as I allow it to shoot everything down. It may be tricky to properly finish all user processes before closing PAM session. Examples what may go wrong: - pam-sd (systemd) dropped privileges and unable to perform umount - user@.service has not finished yet, so some processes from the systemd user service have files open - The process that should close PAM session is killed by systemd when user@.service is stopped. Should not happen with defauld systemd-logind settings in Debian. The thing is, even if I set absurdly big wait delay in pam_mount's logout statement, I can still observe pulseaudio and dbus-daemon running throughout the whole delay period. Systemd makes no attempt to stop them before or while pam_mount is running, that's why it seems like an ordering problem rather than just things being late. I think, systemd-logind should initiate termination of systemd user session when UserStopDelaySec is elapsed after all processes that belong to current PAM session are finished. It may include the process that is waiting before locking (closing) the encrypted device. Sounds like a kind of deadlock. If pam_mount allows it, I would try to not unmount the device in pam_close and instead ask user@.service to do it.
Re: Encrypted home and pam_mount
On Sun, 2024-03-03 at 21:27 +0700, Max Nikulin wrote: > On 03/03/2024 02:46, Andrey Dogadkin wrote: > > Automounting works fine, but I'm having trouble with auto- > > unmounting > > when I log out. The partition stays mounted and I can see "target > > is > > busy" errors from umount in the journal. > > It is an issue with ecryptfs and fscrypt as well. > > https://github.com/systemd/systemd/issues/8598#issuecomment-376845082 > "systemd-user doesn't properly close its PAM session" I saw that issue and it didn't strike me as related to my case, pam_mount works fine as long as I allow it to shoot everything down. > systemd-logind default settings have UserStopDelaySec=10 so some > processes are still running after the session is finished. Setting UserStopDelaySec to 0 gave me the same results. The thing is, even if I set absurdly big wait delay in pam_mount's logout statement, I can still observe pulseaudio and dbus-daemon running throughout the whole delay period. Systemd makes no attempt to stop them before or while pam_mount is running, that's why it seems like an ordering problem rather than just things being late. > Depending on desktop environment or window manager you may try > > systemctl --user start exit.target > > during logout if the user has no other sessions (SSH, VT, etc.) I guess I'll stick with for now. If I have to force things into behaving properly, might as well let pam_mount do it for me :) Thank you for your reply > I have not tried systemd-homed > https://systemd.io/HOME_DIRECTORY/ > >
Re: Encrypted home and pam_mount
On 03/03/2024 02:46, Andrey Dogadkin wrote: Automounting works fine, but I'm having trouble with auto-unmounting when I log out. The partition stays mounted and I can see "target is busy" errors from umount in the journal. It is an issue with ecryptfs and fscrypt as well. https://github.com/systemd/systemd/issues/8598#issuecomment-376845082 "systemd-user doesn't properly close its PAM session" systemd-logind default settings have UserStopDelaySec=10 so some processes are still running after the session is finished. Depending on desktop environment or window manager you may try systemctl --user start exit.target during logout if the user has no other sessions (SSH, VT, etc.) I have not tried systemd-homed https://systemd.io/HOME_DIRECTORY/
Encrypted home and pam_mount
Hello, I'm trying to set up a LUKS-encrypted user's home partition which would be automounted when the user logs in. I've installed libpam-mount and added the following line into /etc/security/pam_mount.conf.xml: Automounting works fine, but I'm having trouble with auto-unmounting when I log out. The partition stays mounted and I can see "target is busy" errors from umount in the journal. If I edit logout entry inside pam_mount.conf.xml to look like this: I can see during the first 10sec period that my home dir is held by pulseaudio and dbus-daemon. Then pam_mount terminates them successfully with SIGTERM, waits another 10sec period, tries to kill whatever might remain and successfully unmounts the directory. Interestingly, pam_mount won't wait after sending the last signal, so having kill is important for term to work well, otherwise there will still be a race. So it seems to me that the pam_mount processing happens a bit early during logout, before the system gets an opportunity to shutdown some of the user processes. Is there anything I can change in my configuration to let everything stop gracefully leaving the as a last resort option for pam_mount?
