Just checked sudo's behavior regarding the login count. It consistently
uses the user "root" before and after the given command:
[BEGIN OF LOG]
[sudo] password for USER:
pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(pam_mount.c:614): no volumes to mount
command: 'pmvarrun' '-u' 'root' '-o' '1'
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:440): pmvarrun says login count is 1
pam_mount(pam_mount.c:645): done opening session (ret=0)
uid=0(root) gid=0(root) Gruppen=0(root)
pam_mount(pam_mount.c:691): received order to close things
pam_mount(pam_mount.c:693): No volumes to umount
command: 'pmvarrun' '-u' 'root' '-o' '-1'
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 1
pam_mount(pam_mount.c:440): pmvarrun says login count is 0
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
pam_mount(pam_mount.c:132): clean system authtok=0x151b270 (1073741824)
[END OF LOG]
@aldebx:
I can reproduce your problem with sudo in version 1.8.3p1-1ubuntu3.2:
My mount-line in /etc/security/pam_mount.conf.xml is limited to user
"user=USER". If I change this to "user=root" or remove the limitation
altogether, I get "reenter password for pam_mount" when running "sudo id". Can
you confirm this is similar to your config?
Without such a change to my configs, you can see in the above sudo log
that pam_mount would like to mess with mounts too but can't because
there are none available for user root ("no volumes to mount").
So IMHO there are two different issues to address:
1. fixing sudo/sudoedit:
sudoedit's interaction with pam_mount regarding the user is bogus. It should be
just like sudo does it. (Why is it different in the first place?)
2. fixing pam_mount:
- First, there are good reasons to run pam_mount from sudo: Consider a user
cron job running "sudo foo" where the user is allowed (by /etc/sudoers) to run
"sudo foo" without entering a password. The Command "foo" may need access to a
certain partition. The partition may be mounted on-demand by pam_mount for
various reasons (to save resources, ...).
- But there is absolutely no use in asking for a unlock password in this use
case. So pam_mount should skip encrypted partitions if there is no way to ask
for a password (This may already be the current behavior. I haven't tested it.)
- If there is an encrypted partition for user root available that is not yet
mounted and we're in an interactive shell, ask for the password to unlock it.
If root does not need the mount, then don't configure it this way.
- If a partition is already mounted by pam_mount, even because of another users
login-session, pam_mount should not try to mount it again and therefore not ask
for a password. It should keep track of unlocked and mounted partitions for
this.
- pam_mount is too eager to unmount partitions. It should only unmount them
when the login counts of _all_ affected users reach 0. Affected users are all
those for which pam_mount would have tried to mount the partition on login.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/996806
Title:
sudoedit triggers pam_mount to enquire the password of the encrypted
partition, trying to mount it and later to umount it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
