Bug#444419: libpam-mount: umount fails and login count not decremented if last logout is done from 'su'

[Bastian Kleineidam]

Am Freitag, 28. September 2007 14:24:39 schrieb ingo:
 when logging in as root and then su-ing to a user account everything works
 fine. But at logout the su-command seems to have dropped root privileges,
Yep, pam_mount is not designed to work with applications that drop privileges. 
Other apps that drop them are sux, and supposedly gdm, but I haven't tried 
them out.
If you want you can file wishlist bugs to su to not drop privileges after a 
PAM session opens.

Regards,
  Bastian


signature.asc
Description: This is a digitally signed message part.

Bug#444419: Re: Bug#444419: libpam-mount: umount fails and login count not decremented if last logout is done from 'su'

[ingo]

On Sat, Sep 29, 2007 at 03:38:11PM +0200, Bastian Kleineidam wrote:
 Am Freitag, 28. September 2007 14:24:39 schrieb ingo:
  when logging in as root and then su-ing to a user account everything works
  fine. But at logout the su-command seems to have dropped root privileges,
 Yep, pam_mount is not designed to work with applications that drop 
 privileges. 
 Other apps that drop them are sux, and supposedly gdm, but I haven't tried 
 them out.
 If you want you can file wishlist bugs to su to not drop privileges after a 
 PAM session opens.

Hmm, as long as it is not a bug for a login application using pam to
drop root priviledges (but merely a wish to make pammount work with it),
shouldn't pammount be avoided for them altogether
in order to avoid the resulting possibility of wrong login counting ?

But anyway, i am not really that much interested in this, i never use those
programs you mentioned. i only noticed because you asked to try
su regarding the other bug and i thought i could as well file a bug.

Its ok with me to close this one and be done with it :)

Ah, and i suppose i never mentioned during my series of bug reports
that i very much appreciate the pam mount package and your maintanance of it.

Many thanks,

ingo








-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#444419: libpam-mount: umount fails and login count not decremented if last logout is done from 'su'

[ingo]

Package: libpam-mount
Version: 0.28-1
Severity: normal


Hi,

when logging in as root and then su-ing to a user account everything works fine.
But at logout the su-command seems to have dropped root privileges, so umount 
fails.
The login count is not decremented.


pam_mount(pam_mount.c:586) received order to close things
pam_mount(misc.c:55) Session close: (uid=1000, euid=1000, gid=1000, 
egid=1000)
pam_mount(misc.c:284) command: /usr/sbin/pmvarrun [-u] [ingo] [-o] [-1]
pam_mount(misc.c:55) set_myuidpre: (uid=1000, euid=1000, gid=1000, 
egid=1000)
pam_mount(misc.c:357) error setting uid to 0
pam_mount(pam_mount.c:424) pmvarrun says login count is 0
pam_mount(pam_mount.c:618) going to unmount
pam_mount(mount.c:413) information for mount:
pam_mount(mount.c:414) --
pam_mount(mount.c:415) (defined by globalconf)
pam_mount(mount.c:416) user:  ingo
pam_mount(mount.c:417) server:
pam_mount(mount.c:418) volume:/home/ingo:crypt.img
pam_mount(mount.c:419) mountpoint:/home/ingo/crypt
pam_mount(mount.c:420) options:   fsck,loop,nodev,nosuid,
pam_mount(mount.c:421) fs_key_cipher:
pam_mount(mount.c:422) fs_key_path:
pam_mount(mount.c:423) use_fstab: 0
pam_mount(mount.c:424) --
pam_mount(misc.c:284) command: lsof [/home/ingo/crypt]
lsof: WARNING: can't stat() ext3 file system /dev/.static/dev
  Output information may be incomplete.
pam_mount(mount.c:103) pam_mount(mount.c:135) waiting for lsof
pam_mount(misc.c:284) command: /sbin/umount.crypt [/home/ingo/crypt]
pam_mount(misc.c:55) set_myuidpre: (uid=1000, euid=1000, gid=1000, 
egid=1000)
pam_mount(misc.c:357) error setting uid to 0
pam_mount(mount.c:100) umount errors:
pam_mount(mount.c:103) You have to be root to use cryptsetup!
pam_mount(mount.c:103) umount: /home/ingo/crypt is not in the fstab 
(and you are not root)
pam_mount(mount.c:103) umount.crypt: error unmounting /home/ingo/crypt
pam_mount(mount.c:598) waiting for umount
pam_mount(pam_mount.c:621) unmount of /home/ingo:crypt.img failed
pam_mount(pam_mount.c:632) pam_mount execution complete
pam_mount(pam_mount.c:115) Clean global config (0)


The decrement of the login count does work if 'su' is not the last session
to go away (and thus no umount attempted).  I suppose this is most often the 
case.


Ah, and i noticed that when the mounting of the crypto loop device
fails (such as when root is guessing the wrong password when su-ing to
the user account) a loop device is leaked.
Anyway this setup is rather useless so i only would make another
detailed bug report if you want me to.


Regards, ingo



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22.9-cfs-v22
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-mount depends on:
ii  libc6  2.6.1-5   GNU C Library: Shared libraries
ii  libhx101.10.1-1  A library providing queue, tree, I
ii  libpam0g   0.99.7.1-4Pluggable Authentication Modules l
ii  libssl0.9.80.9.8e-8  SSL shared libraries
ii  libxml-writer-perl 0.603-1   Perl module for writing XML docume
ii  libxml22.6.30.dfsg-2 GNOME XML library
ii  mount  2.13-7Tools for mounting and manipulatin

libpam-mount recommends no packages.

-- debconf-show failed



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]