subject:"Bug#799752\: pmt_already_mounted\(\) broken when server=\"nfs\""

Bug#799752: pmt_already_mounted() broken when server="nfs"

2018-04-02 Thread Trent W. Buck

2.16-4 fixes the problem, thanks.

Trent W. Buck wrote:
> Jochen Sprickerhof wrote:
> > a long time ago you opened a bug in the Debian package libpam-mount. 
> > Recently
> > I took over maintenance of this package and added a patch to address this. 
> > You
> > can find the new version in Debian experimental, would be great if you could
> > try it and report back if it fixes your problem.
> 
> I'm still relying on libpam_mount to mount /home/X via NFSv3, so this is 
> still important to me.
> I'm currently on Debian 9 Stretch, but I'll try to find time to test this.
> 
> If you don't hear from me by 2018-04-16, ping me again, because I'll have 
> been distracted ;-)

I just tried to reproduce this problem.

It turns out that nowadays, NFS hides the issue by silently NOPping repeated 
mounts:

root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/staff/s123' '/home/staff/s123'
root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/staff/s123' '/home/staff/s123'
root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/staff/s123' '/home/staff/s123'
root@zodiac:~# echo $?
0

root@zodiac:~# grep nfs:/home /proc/mounts
nfs:/home/staff/s123 /home/staff/s123 nfs 
rw,nosuid,nodev,noexec,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.0.0.1,mountvers=3,mountport=32767,mountproto=udp,local_lock=none,addr=10.0.0.1
 0 0

However I *could* reproduce the bug in libpam-mount 2.16-2:

root@zodiac:~# su -s /bin/sh -c 'df -h -t nfs' s123
(pam_mount.c:568): pam_mount 2.16: entering session stage
(mount.c:267): Mount info: globalconf, user=s123  fstab=0 ssh=0
(mount.c:664): Password will be sent to helper as-is.
command: 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/staff/s123' '/home/staff/s123'
…

And I *could not* reproduce the bug in libpam-mount 2.16-4:

root@bentham-wing-e4:~# su -s /bin/sh -c 'df -h -t nfs' p123
(pam_mount.c:568): pam_mount 2.16: entering session stage
(mount.c:262): Mount info: globalconf, user=p123  fstab=0 ssh=0
(mount.c:623): /home/prisoners/p123 already seems to be mounted at 
/home/prisoners/p123, skipping
command: 'pmvarrun' '-u' 'p123' '-o' '1'
(pmvarrun.c:258): parsed count value 1
(pam_mount.c:441): pmvarrun says login count is 2
(pam_mount.c:660): done opening session (ret=0)
FilesystemSize  Used Avail Use% Mounted on
nfs:/srv/share4.9G  357M  4.3G   8% /srv/share
nfs:/home/prisoners/p123  488M   56M  397M  13% /home/prisoners/p123
(pam_mount.c:706): received order to close things
command: 'pmvarrun' '-u' 'p123' '-o' '-1'
(pmvarrun.c:258): parsed count value 2
(pam_mount.c:441): pmvarrun says login count is 1
(pam_mount.c:735): p123 seems to have other remaining open sessions
(pam_mount.c:743): pam_mount execution complete
(pam_mount.c:116): Clean global config (0)
root@bentham-wing-e4:~#

Bug#799752: pmt_already_mounted() broken when server="nfs"

2018-04-02 Thread Trent W. Buck

Jochen Sprickerhof wrote:
> a long time ago you opened a bug in the Debian package libpam-mount. Recently
> I took over maintenance of this package and added a patch to address this. You
> can find the new version in Debian experimental, would be great if you could
> try it and report back if it fixes your problem.

I'm still relying on libpam_mount to mount /home/X via NFSv3, so this is still 
important to me.
I'm currently on Debian 9 Stretch, but I'll try to find time to test this.

If you don't hear from me by 2018-04-16, ping me again, because I'll have been 
distracted ;-)

Bug#799752: pmt_already_mounted() broken when server="nfs"

2018-04-02 Thread Jochen Sprickerhof


Hi,

a long time ago you opened a bug in the Debian package libpam-mount. Recently
I took over maintenance of this package and added a patch to address this. You
can find the new version in Debian experimental, would be great if you could
try it and report back if it fixes your problem.
If no one reports an error in it, I will upload the package to unstable and
close this in a month.

Cheers Jochen

* Trent W. Buck  [2015-09-22 16:08]:

Package: libpam-mount
Version: 2.14-1.1
Severity: minor

1. libpam_mount considers something "already mounted" if it can find a
  mount in libmount's iterator where both the source (device) and
  target (mountpoint) match.

  This is the code responsible:
libpam-mount/src/mount.c:149:pmt_already_mounted()
libpam-mount/src/mount.c:125:pmt_utabent_matches()


THE PROBLEM


2. If pam_mount.conf.xml has



  then "already mounted?" fails because it compares nfs:/home/prisoners/p to 
/home/prisoners/p.  I think.

command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/prisoners/p' '/home/prisoners/p'
(mount.c:72): Messages from underlying mount program:
(mount.c:76): mount.nfs: access denied by server while mounting (null)

  The odd error from mount.nfs is because nfs:/home is root_squash and user 
nobody can't read it:

# mkdir x y
# mount -tnfs nfs:/home x
# mount -tnfs nfs:/home x
mount.nfs: /root/x is busy or already mounted
# mount -tnfs nfs:/home/prisoners/p y
# mount -tnfs nfs:/home/prisoners/p y
mount.nfs: access denied by server while mounting (null)
# ls -ld x y
drwxr-x--x  8 root root 1024 Nov 12  2014 x
drwx-- 13 pp4096 Sep 22 12:35 y
# ls -ld x/prisoners
drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners


WORKAROUNDS DON'T WORK
==

3. If pam_mount.conf.xml has



  then mounting fails because the nfs:~ is not expanded.

command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~' 
'/home/prisoners/p'
(mount.c:72): Messages from underlying mount program:
(mount.c:76): mount.nfs: access denied by server while mounting nfs:~

4. If pam_mount.conf.xml has



  then mounting & detection both work:

(mount.c:628): nfs:/home/prisoners/p already seems to be mounted at 
/home/prisoners/p, skipping

  ...but now I have to list every user's login individually, which is not 
feasible.

5. If pam_mount.conf.xml has



  the source is wrong path for staff users.

  Constructing $HOME from $USER also fails for setups like
~ajking2 ==> /home/students/a/j/ajking2/
  which used to be common in large universities.

  I could probably get away with this, but it feels awful:





IMPACT


This is not an immediate problem for me,
because the duplicate mount fails & the login succeeds.

But!  If the *first* mount fails (e.g. when NFS is down),
the user get a working login with $HOME on the local root filesystem.

If I fix that by making PAM abort when the mount fails,
the problem in pmt_utabent_matches() will break the user's second
concurrent login (e.g. GUI desktop + ssh).


I'm too dumb to see exactly how to patch this,
but I hope it's a one-line change. :-)



POSTSCRIPT


I pulled out pmt_already_mounted() into the following stand-alone script,
to confirm that libmount could see the mountpoint:

   bash4$ cat mount-test.c
   /* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid 
-I/usr/include/uuid -lmount */

   /* bash4$ pkg-config --cflags --libs mount */
   /* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount  
*/

   #include 

   main()
   {
 struct libmnt_context *ctx;
 struct libmnt_table *table;
 struct libmnt_iter *iter;
 struct libmnt_fs *fs;
 const char *source, *target;

 ctx = mnt_new_context();
 if (ctx == NULL)
   return -1;
 if (mnt_context_get_mtab(ctx, ) != 0)
   goto out;
 iter = mnt_new_iter(MNT_ITER_BACKWARD);
 if (iter == NULL)
   goto out;

 while (mnt_table_next_fs(table, iter, ) == 0)
   {
 source = mnt_fs_get_source(fs);
 target = mnt_fs_get_target(fs);
 printf("source<%s> target<%s>\n",
source ?: "NULL",
target ?: "NULL");
   }
out:
 mnt_free_context(ctx);
 return 0;
   }

   bash4$ cc mount-test.c $(pkg-config --cflags --libs mount)

   bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out'
   Warning: Permanently added 'het' (ECDSA) to the list of known hosts.
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source target
   source<10.128.0.1:/srv/netboot/images>

Bug#799752: pmt_already_mounted() broken when server="nfs"

2015-09-22 Thread Trent W. Buck

Package: libpam-mount
Version: 2.14-1.1
Severity: minor

1. libpam_mount considers something "already mounted" if it can find a
   mount in libmount's iterator where both the source (device) and
   target (mountpoint) match.

   This is the code responsible:
 libpam-mount/src/mount.c:149:pmt_already_mounted()
 libpam-mount/src/mount.c:125:pmt_utabent_matches()


THE PROBLEM


2. If pam_mount.conf.xml has

 

   then "already mounted?" fails because it compares nfs:/home/prisoners/p to 
/home/prisoners/p.  I think.

 command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 
'nfs:/home/prisoners/p' '/home/prisoners/p'
 (mount.c:72): Messages from underlying mount program:
 (mount.c:76): mount.nfs: access denied by server while mounting (null)

   The odd error from mount.nfs is because nfs:/home is root_squash and user 
nobody can't read it:

 # mkdir x y
 # mount -tnfs nfs:/home x
 # mount -tnfs nfs:/home x
 mount.nfs: /root/x is busy or already mounted
 # mount -tnfs nfs:/home/prisoners/p y
 # mount -tnfs nfs:/home/prisoners/p y
 mount.nfs: access denied by server while mounting (null)
 # ls -ld x y
 drwxr-x--x  8 root root 1024 Nov 12  2014 x
 drwx-- 13 pp4096 Sep 22 12:35 y
 # ls -ld x/prisoners
 drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners


WORKAROUNDS DON'T WORK
==

3. If pam_mount.conf.xml has

 

   then mounting fails because the nfs:~ is not expanded.

 command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~' 
'/home/prisoners/p'
 (mount.c:72): Messages from underlying mount program:
 (mount.c:76): mount.nfs: access denied by server while mounting nfs:~

4. If pam_mount.conf.xml has

 

   then mounting & detection both work:

 (mount.c:628): nfs:/home/prisoners/p already seems to be mounted at 
/home/prisoners/p, skipping

   ...but now I have to list every user's login individually, which is not 
feasible.

5. If pam_mount.conf.xml has

 

   the source is wrong path for staff users.

   Constructing $HOME from $USER also fails for setups like
 ~ajking2 ==> /home/students/a/j/ajking2/
   which used to be common in large universities.

   I could probably get away with this, but it feels awful:

 
 


IMPACT


This is not an immediate problem for me,
because the duplicate mount fails & the login succeeds.

But!  If the *first* mount fails (e.g. when NFS is down),
the user get a working login with $HOME on the local root filesystem.

If I fix that by making PAM abort when the mount fails,
the problem in pmt_utabent_matches() will break the user's second
concurrent login (e.g. GUI desktop + ssh).


I'm too dumb to see exactly how to patch this,
but I hope it's a one-line change. :-)



POSTSCRIPT


I pulled out pmt_already_mounted() into the following stand-alone script,
to confirm that libmount could see the mountpoint:

bash4$ cat mount-test.c
/* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid 
-I/usr/include/uuid -lmount */

/* bash4$ pkg-config --cflags --libs mount */
/* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount 
 */

#include 

main()
{
  struct libmnt_context *ctx;
  struct libmnt_table *table;
  struct libmnt_iter *iter;
  struct libmnt_fs *fs;
  const char *source, *target;

  ctx = mnt_new_context();
  if (ctx == NULL)
return -1;
  if (mnt_context_get_mtab(ctx, ) != 0)
goto out;
  iter = mnt_new_iter(MNT_ITER_BACKWARD);
  if (iter == NULL)
goto out;

  while (mnt_table_next_fs(table, iter, ) == 0)
{
  source = mnt_fs_get_source(fs);
  target = mnt_fs_get_target(fs);
  printf("source<%s> target<%s>\n",
 source ?: "NULL",
 target ?: "NULL");
}
 out:
  mnt_free_context(ctx);
  return 0;
}

bash4$ cc mount-test.c $(pkg-config --cflags --libs mount)

bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out'
Warning: Permanently added 'het' (ECDSA) to the list of known hosts.
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source target
source<10.128.0.1:/srv/netboot/images> target
source target
source target
source target

The full pam_mount.conf.xml I used for these tests was:




  
  
1000-2

Bug#799752: pmt_already_mounted() broken when server="nfs"

Bug#799752: pmt_already_mounted() broken when server="nfs"

Bug#799752: pmt_already_mounted() broken when server="nfs"

Bug#799752: pmt_already_mounted() broken when server="nfs"

4 matches

Site Navigation

Mail list logo

Footer information