Bug#621018: libpam-encfs: encfs directory failed umount on logout
Hi Agustin, On Thu, Apr 07, 2011 at 11:50:40AM +0200, Agustin Martin wrote: I am cc'ing you for your POV about the possibility of a package shipping alternative entries for /usr/share/pam-configs, see below. That is not my currently preferred option, but would like to know your opinion first. Previous info, libpam-encfs needed /etc/pam.d/common-auth modification. This is already managed automatically by means of pam-auth-update. There is also common-session. There are two ways of unmounting encrypted volume, using idle option so it is unmounted after Xmin idle or adding a session line. The second disables the first. So, session line may or may not be added to common-session. If wanting to do this automatically two alternative snippets may be used, and I would like to know if something like this has been considered and your opinion about that possibility. I see that you've already closed this bug with a documentation update only, but for the record: yes, you can ship multiple optional configs for the same module. If you do this, at most one of the configs should be marked 'Default: yes', and each of the configs should declare that it 'Conflicts' with the others. See https://wiki.ubuntu.com/PAMConfigFrameworkSpec for full details (sorry, haven't incorporated this documentation into the pam package yet). -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#621018: libpam-encfs: encfs directory failed umount on logout
On Thu, Apr 07, 2011 at 10:21:34AM +0300, Gill Bates wrote: On Wed, Apr 6, 2011 at 4:58 PM, Agustin Martin agmar...@debian.org wrote: On Tue, Apr 05, 2011 at 11:48:55PM +0300, uri wrote: Package: libpam-encfs Version: 0.1.4.4-2 Severity: important For some reason encfs directory failed umount on logout. auth.log only contains next message: pam_encfs[11974]: exitcode : 1, errorstring : pam-encfs now implements an idle option to care about removals, and I vaguely think he seems to prefer it. Does the problem still appears if you put a line encfs_default --idle=1 in your /etc/security/pam_encfs.conf file? That means that encfs dir will be unmounted after 1 minute iddletime. Hello Augustin, Thank you for quick response. Unfortunately, I find that as unacceptable solution, as it is still possible to get access to encrypted directory under another user during the timeout, and prevent umount at all. As you can see this might be a serious security issue. Old option modifying /etc/pam.d/common-auth will still work, but you then need to manually handle that file instead of letting pam-auth-update automatically regenerate. Also, you can re-add the session stanza to /etc/pam.d/common-auth, but make sure to put it outside the automatically handled common block. During upgrade pam-auth-update should have asked you about what to do and offered the possibility of manually handling it if you did manual changes. Well, manual common-auth handling is not a problem. Could you kindly give some instructions to make umount possible. There is not a lot of information in the internet dedicated to pam_enfs. In fact, all manuals I was able to find, contains options I already have in my pam config. I have just uploaded a new package with more explicit information about the reasons for the default option and about how to override it, together with a NEWS file. If you track unstable it will be available tomorrow. In case you track testing, relevant sections are From new README.Debian: === To handle automatic umount of encfs volume on end of session, two methods are available, * In /etc/security/pam_encfs.conf, pass an idle=X option to encfs (where X stands for minutes) to have encfs volume umounted after X minutes idle * Umount immediately by adding to /etc/pam.d/common-session a line session required pam_encfs.so This will umount encfs immediately after session end. Since this last method unconditionally affects all users, makes idle a no-op for use under libpam-encfs and cannot be reverted by modifying files under /etc, libpam-encfs does not provide an snippet for automatic handling of /etc/pam.d/common-session. If this last was previously enabled, it may have disappeared and get disabled when upgrading pam and libpam-encfs to use pam-auth-update, if automatic mode is selected. If you want to keep that behavior, so encfs volume is unconditionally umounted immediately on session end (Remember that it sets that option for all users and makes idle a no-op for use under libpam-encfs) you need to manually edit /etc/pam.d/common-session and put above session stanza *outside* the automatically generated block. This will enable this method for all password based login systems. If you want to enable it only for some of them, you will need to modify only relevant entries under /etc/pam.d. Comments are welcome. Thanks for your collaboration Regards, -- Agustin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#621018: libpam-encfs: encfs directory failed umount on logout
On Thu, Apr 07, 2011 at 10:21:34AM +0300, Gill Bates wrote: On Wed, Apr 6, 2011 at 4:58 PM, Agustin Martin agmar...@debian.org wrote: On Tue, Apr 05, 2011 at 11:48:55PM +0300, uri wrote: Package: libpam-encfs Version: 0.1.4.4-2 Severity: important Thanks or the reply, Please, keep always 621...@bugs.debian.org in the reply list, so discussion gets stored. Actual reply goes below. Hi, pam maintainers, I am cc'ing you for your POV about the possibility of a package shipping alternative entries for /usr/share/pam-configs, see below. That is not my currently preferred option, but would like to know your opinion first. Previous info, libpam-encfs needed /etc/pam.d/common-auth modification. This is already managed automatically by means of pam-auth-update. There is also common-session. There are two ways of unmounting encrypted volume, using idle option so it is unmounted after Xmin idle or adding a session line. The second disables the first. So, session line may or may not be added to common-session. If wanting to do this automatically two alternative snippets may be used, and I would like to know if something like this has been considered and your opinion about that possibility. Thanks in advance for your comments. For some reason encfs directory failed umount on logout. auth.log only contains next message: pam_encfs[11974]: exitcode : 1, errorstring : pam-encfs now implements an idle option to care about removals, and I vaguely think he seems to prefer it. Does the problem still appears if you put a line encfs_default --idle=1 in your /etc/security/pam_encfs.conf file? That means that encfs dir will be unmounted after 1 minute iddletime. Hello Augustin, Thank you for quick response. Unfortunately, I find that as unacceptable solution, as it is still possible to get access to encrypted directory under another user during the timeout, and prevent umount at all. As you can see this might be a serious security issue. That will also happen when mounted if you give access to other users to the encrypted directory (e.g., use fuse allow_other option) or to root (fuse allow_root option). If none of those options are specified neither other users nor root can access the encrypted directory at any time. That is previous to the normal directory permissions. I however agree that session behavior should also be a clearly documented option. Old option modifying /etc/pam.d/common-auth will still work, but you then need to manually handle that file instead of letting pam-auth-update automatically regenerate. Also, you can re-add the session stanza to /etc/pam.d/common-auth, but make sure to put it outside the automatically handled common block. During upgrade pam-auth-update should have asked you about what to do and offered the possibility of manually handling it if you did manual changes. Well, manual common-auth handling is not a problem. Could you kindly give some instructions to make umount possible. There is not a lot of information in the internet dedicated to pam_enfs. In fact, all manuals I was able to find, contains options I already have in my pam config. Most of them are for ancient versions and AFAIK none contains anything about pam-auth-update integration. I think I should have added a NEWS.Debian explaining the change and how to enable old behavior if desired. Auto file was based on suggestion in https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/287904 but with password (causes some problems) and session (unconditionally disabled idle option) removed. I think for this package the above should be enough, together with better documenting this in README.Debian, so this bug can be closed with that. Other solutions will need to have alternative entries for /usr/share/pam-configs, handled by symlinks driven by either update-alternatives or by a debconf question and document very well that enabling session part will make in practice idle option a no-op. I am speaking about two variants, with and without session entries enabled, -- 8 - Only auth Name: encfs encrypted home directories Default: yes Priority: 257 Auth-Type: Primary Auth: sufficient pam_encfs.so Auth-Initial: sufficient pam_encfs.so -- 8 - End only auth --8 -- Auth and Session Name: encfs encrypted home directories Default: yes Priority: 257 Auth-Type: Primary Auth: sufficient pam_encfs.so Auth-Initial: sufficient pam_encfs.so Session-Type: Additional Session: Session-Initial: -- 8 - End of Auth and Session and that is why I am cc'ing pam maintainers for advice in case this possibility has already been considered. I currently prefer the NEWS.Debian way because lets sysadmin know better what is done and why, nmanual change can be properly commented. Thanks for your help, Regards, -- Agustin --
Bug#621018: libpam-encfs: encfs directory failed umount on logout
On Tue, Apr 05, 2011 at 11:48:55PM +0300, uri wrote: Package: libpam-encfs Version: 0.1.4.4-2 Severity: important For some reason encfs directory failed umount on logout. auth.log only contains next message: pam_encfs[11974]: exitcode : 1, errorstring : pam-encfs now implements an idle option to care about removals, and I vaguely think he seems to prefer it. Does the problem still appears if you put a line encfs_default --idle=1 in your /etc/security/pam_encfs.conf file? That means that encfs dir will be unmounted after 1 minute iddletime. Old option modifying /etc/pam.d/common-auth will still work, but you then need to manually handle that file instead of letting pam-auth-update automatically regenerate. Also, you can re-add the session stanza to /etc/pam.d/common-auth, but make sure to put it outside the automatically handled common block. During upgrade pam-auth-update should have asked you about what to do and offered the possibility of manually handling it if you did manual changes. I do not see an automatic way of honouring previous session changes, but suggestions are welcome. -- Configuration Files: /etc/security/pam_encfs.conf changed: drop_permissions fuse_default nonempty uri /home/uri/.enc /home/uri/.data -v - Looking at your /etc/security/pam_encfs.conf I guess this is your problem, please let me know about this. Cheers, -- Agustin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#621018: libpam-encfs: encfs directory failed umount on logout
Package: libpam-encfs Version: 0.1.4.4-2 Severity: important For some reason encfs directory failed umount on logout. auth.log only contains next message: pam_encfs[11974]: exitcode : 1, errorstring : -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-encfs depends on: ii encfs 1.7.4-2.1 encrypted virtual filesystem ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib ii libpam-runtime1.1.2-2Runtime support for the PAM librar ii libpam0g 1.1.2-2Pluggable Authentication Modules l libpam-encfs recommends no packages. libpam-encfs suggests no packages. -- Configuration Files: /etc/security/pam_encfs.conf changed: drop_permissions fuse_default nonempty uri /home/uri/.enc /home/uri/.data -v - -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
