Bug#799752: pmt_already_mounted() broken when server="nfs"
2.16-4 fixes the problem, thanks. Trent W. Buck wrote: > Jochen Sprickerhof wrote: > > a long time ago you opened a bug in the Debian package libpam-mount. > > Recently > > I took over maintenance of this package and added a patch to address this. > > You > > can find the new version in Debian experimental, would be great if you could > > try it and report back if it fixes your problem. > > I'm still relying on libpam_mount to mount /home/X via NFSv3, so this is > still important to me. > I'm currently on Debian 9 Stretch, but I'll try to find time to test this. > > If you don't hear from me by 2018-04-16, ping me again, because I'll have > been distracted ;-) I just tried to reproduce this problem. It turns out that nowadays, NFS hides the issue by silently NOPping repeated mounts: root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/staff/s123' '/home/staff/s123' root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/staff/s123' '/home/staff/s123' root@zodiac:~# 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/staff/s123' '/home/staff/s123' root@zodiac:~# echo $? 0 root@zodiac:~# grep nfs:/home /proc/mounts nfs:/home/staff/s123 /home/staff/s123 nfs rw,nosuid,nodev,noexec,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.0.0.1,mountvers=3,mountport=32767,mountproto=udp,local_lock=none,addr=10.0.0.1 0 0 However I *could* reproduce the bug in libpam-mount 2.16-2: root@zodiac:~# su -s /bin/sh -c 'df -h -t nfs' s123 (pam_mount.c:568): pam_mount 2.16: entering session stage (mount.c:267): Mount info: globalconf, user=s123 fstab=0 ssh=0 (mount.c:664): Password will be sent to helper as-is. command: 'mount' '-onfsvers=3,intr,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/staff/s123' '/home/staff/s123' … And I *could not* reproduce the bug in libpam-mount 2.16-4: root@bentham-wing-e4:~# su -s /bin/sh -c 'df -h -t nfs' p123 (pam_mount.c:568): pam_mount 2.16: entering session stage (mount.c:262): Mount info: globalconf, user=p123 fstab=0 ssh=0 (mount.c:623): /home/prisoners/p123 already seems to be mounted at /home/prisoners/p123, skipping command: 'pmvarrun' '-u' 'p123' '-o' '1' (pmvarrun.c:258): parsed count value 1 (pam_mount.c:441): pmvarrun says login count is 2 (pam_mount.c:660): done opening session (ret=0) FilesystemSize Used Avail Use% Mounted on nfs:/srv/share4.9G 357M 4.3G 8% /srv/share nfs:/home/prisoners/p123 488M 56M 397M 13% /home/prisoners/p123 (pam_mount.c:706): received order to close things command: 'pmvarrun' '-u' 'p123' '-o' '-1' (pmvarrun.c:258): parsed count value 2 (pam_mount.c:441): pmvarrun says login count is 1 (pam_mount.c:735): p123 seems to have other remaining open sessions (pam_mount.c:743): pam_mount execution complete (pam_mount.c:116): Clean global config (0) root@bentham-wing-e4:~#
Bug#799752: pmt_already_mounted() broken when server="nfs"
Jochen Sprickerhof wrote: > a long time ago you opened a bug in the Debian package libpam-mount. Recently > I took over maintenance of this package and added a patch to address this. You > can find the new version in Debian experimental, would be great if you could > try it and report back if it fixes your problem. I'm still relying on libpam_mount to mount /home/X via NFSv3, so this is still important to me. I'm currently on Debian 9 Stretch, but I'll try to find time to test this. If you don't hear from me by 2018-04-16, ping me again, because I'll have been distracted ;-)
Bug#799752: pmt_already_mounted() broken when server="nfs"
Hi, a long time ago you opened a bug in the Debian package libpam-mount. Recently I took over maintenance of this package and added a patch to address this. You can find the new version in Debian experimental, would be great if you could try it and report back if it fixes your problem. If no one reports an error in it, I will upload the package to unstable and close this in a month. Cheers Jochen * Trent W. Buck[2015-09-22 16:08]: Package: libpam-mount Version: 2.14-1.1 Severity: minor 1. libpam_mount considers something "already mounted" if it can find a mount in libmount's iterator where both the source (device) and target (mountpoint) match. This is the code responsible: libpam-mount/src/mount.c:149:pmt_already_mounted() libpam-mount/src/mount.c:125:pmt_utabent_matches() THE PROBLEM 2. If pam_mount.conf.xml has then "already mounted?" fails because it compares nfs:/home/prisoners/p to /home/prisoners/p. I think. command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/prisoners/p' '/home/prisoners/p' (mount.c:72): Messages from underlying mount program: (mount.c:76): mount.nfs: access denied by server while mounting (null) The odd error from mount.nfs is because nfs:/home is root_squash and user nobody can't read it: # mkdir x y # mount -tnfs nfs:/home x # mount -tnfs nfs:/home x mount.nfs: /root/x is busy or already mounted # mount -tnfs nfs:/home/prisoners/p y # mount -tnfs nfs:/home/prisoners/p y mount.nfs: access denied by server while mounting (null) # ls -ld x y drwxr-x--x 8 root root 1024 Nov 12 2014 x drwx-- 13 pp4096 Sep 22 12:35 y # ls -ld x/prisoners drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners WORKAROUNDS DON'T WORK == 3. If pam_mount.conf.xml has then mounting fails because the nfs:~ is not expanded. command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~' '/home/prisoners/p' (mount.c:72): Messages from underlying mount program: (mount.c:76): mount.nfs: access denied by server while mounting nfs:~ 4. If pam_mount.conf.xml has then mounting & detection both work: (mount.c:628): nfs:/home/prisoners/p already seems to be mounted at /home/prisoners/p, skipping ...but now I have to list every user's login individually, which is not feasible. 5. If pam_mount.conf.xml has the source is wrong path for staff users. Constructing $HOME from $USER also fails for setups like ~ajking2 ==> /home/students/a/j/ajking2/ which used to be common in large universities. I could probably get away with this, but it feels awful: IMPACT This is not an immediate problem for me, because the duplicate mount fails & the login succeeds. But! If the *first* mount fails (e.g. when NFS is down), the user get a working login with $HOME on the local root filesystem. If I fix that by making PAM abort when the mount fails, the problem in pmt_utabent_matches() will break the user's second concurrent login (e.g. GUI desktop + ssh). I'm too dumb to see exactly how to patch this, but I hope it's a one-line change. :-) POSTSCRIPT I pulled out pmt_already_mounted() into the following stand-alone script, to confirm that libmount could see the mountpoint: bash4$ cat mount-test.c /* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount */ /* bash4$ pkg-config --cflags --libs mount */ /* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount */ #include main() { struct libmnt_context *ctx; struct libmnt_table *table; struct libmnt_iter *iter; struct libmnt_fs *fs; const char *source, *target; ctx = mnt_new_context(); if (ctx == NULL) return -1; if (mnt_context_get_mtab(ctx, ) != 0) goto out; iter = mnt_new_iter(MNT_ITER_BACKWARD); if (iter == NULL) goto out; while (mnt_table_next_fs(table, iter, ) == 0) { source = mnt_fs_get_source(fs); target = mnt_fs_get_target(fs); printf("source<%s> target<%s>\n", source ?: "NULL", target ?: "NULL"); } out: mnt_free_context(ctx); return 0; } bash4$ cc mount-test.c $(pkg-config --cflags --libs mount) bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out' Warning: Permanently added 'het' (ECDSA) to the list of known hosts. source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source<10.128.0.1:/srv/netboot/images>
Bug#799752: pmt_already_mounted() broken when server="nfs"
Package: libpam-mount Version: 2.14-1.1 Severity: minor 1. libpam_mount considers something "already mounted" if it can find a mount in libmount's iterator where both the source (device) and target (mountpoint) match. This is the code responsible: libpam-mount/src/mount.c:149:pmt_already_mounted() libpam-mount/src/mount.c:125:pmt_utabent_matches() THE PROBLEM 2. If pam_mount.conf.xml has then "already mounted?" fails because it compares nfs:/home/prisoners/p to /home/prisoners/p. I think. command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:/home/prisoners/p' '/home/prisoners/p' (mount.c:72): Messages from underlying mount program: (mount.c:76): mount.nfs: access denied by server while mounting (null) The odd error from mount.nfs is because nfs:/home is root_squash and user nobody can't read it: # mkdir x y # mount -tnfs nfs:/home x # mount -tnfs nfs:/home x mount.nfs: /root/x is busy or already mounted # mount -tnfs nfs:/home/prisoners/p y # mount -tnfs nfs:/home/prisoners/p y mount.nfs: access denied by server while mounting (null) # ls -ld x y drwxr-x--x 8 root root 1024 Nov 12 2014 x drwx-- 13 pp4096 Sep 22 12:35 y # ls -ld x/prisoners drwxr-x--x 24 root root 1024 Sep 21 17:09 x/prisoners WORKAROUNDS DON'T WORK == 3. If pam_mount.conf.xml has then mounting fails because the nfs:~ is not expanded. command: 'mount' '-onfsvers=3,intr,bg,nodev,noexec,nosuid' '-tnfs' 'nfs:~' '/home/prisoners/p' (mount.c:72): Messages from underlying mount program: (mount.c:76): mount.nfs: access denied by server while mounting nfs:~ 4. If pam_mount.conf.xml has then mounting & detection both work: (mount.c:628): nfs:/home/prisoners/p already seems to be mounted at /home/prisoners/p, skipping ...but now I have to list every user's login individually, which is not feasible. 5. If pam_mount.conf.xml has the source is wrong path for staff users. Constructing $HOME from $USER also fails for setups like ~ajking2 ==> /home/students/a/j/ajking2/ which used to be common in large universities. I could probably get away with this, but it feels awful: IMPACT This is not an immediate problem for me, because the duplicate mount fails & the login succeeds. But! If the *first* mount fails (e.g. when NFS is down), the user get a working login with $HOME on the local root filesystem. If I fix that by making PAM abort when the mount fails, the problem in pmt_utabent_matches() will break the user's second concurrent login (e.g. GUI desktop + ssh). I'm too dumb to see exactly how to patch this, but I hope it's a one-line change. :-) POSTSCRIPT I pulled out pmt_already_mounted() into the following stand-alone script, to confirm that libmount could see the mountpoint: bash4$ cat mount-test.c /* #!/usr/bin/tcc -run -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount */ /* bash4$ pkg-config --cflags --libs mount */ /* -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -lmount */ #include main() { struct libmnt_context *ctx; struct libmnt_table *table; struct libmnt_iter *iter; struct libmnt_fs *fs; const char *source, *target; ctx = mnt_new_context(); if (ctx == NULL) return -1; if (mnt_context_get_mtab(ctx, ) != 0) goto out; iter = mnt_new_iter(MNT_ITER_BACKWARD); if (iter == NULL) goto out; while (mnt_table_next_fs(table, iter, ) == 0) { source = mnt_fs_get_source(fs); target = mnt_fs_get_target(fs); printf("source<%s> target<%s>\n", source ?: "NULL", target ?: "NULL"); } out: mnt_free_context(ctx); return 0; } bash4$ cc mount-test.c $(pkg-config --cflags --libs mount) bash4$ cat a.out | ssh x 'cat >a.out && chmod +x a.out && ./a.out' Warning: Permanently added 'het' (ECDSA) to the list of known hosts. source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source target source<10.128.0.1:/srv/netboot/images> target source target source target source target The full pam_mount.conf.xml I used for these tests was: 1000-2