Package: libpam-encfs
Version: 0.1.4.1-2
Severity: normal
Tags: patch
--- Please enter the report below this line. ---
I use libpam-encfs with a special configuration file for (currently) only one
user that mounts a subdirectory of the home-dir for security-specific files.
Config file /etc/security/pam_encfs.conf contains the line
hmarkert /home/hmarkert/.sync /home/hmarkert/sync -v -
where sync is the encrypted directory. I disabled the auto-unmont, because
obviously the active session will not always keep files open and hence
unmounts the directory every few minutes, which is very annoying. So I
configured
session required pam_encfs.so
in /etc/pam.d/common-session.
However, unmounting on session end does not relieably work. I looked into the
source code of pam_encfs.c and did not find anything looking relevant.
However, for me it works if I add a wait()-call in the parent after the fork
that executes fusermount -u on the home directory. I attached a diff with the
changes.
I would further suggest to add a session counter in pam_encfs.c if there is
any possibility to have something like static variables in a pam-plugin (I am
not experienced with pam). This would avoid unmounting of the file system if
on another console another session of the same user is running.
Best,
Heiner
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.22-3-686
Debian Release: lenny/sid
700 testing security.debian.org
700 testing ftp.de.debian.org
700 testing debian-multimedia.informatik.uni-erlangen.de
700 testing deb.opera.com
1 experimental ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
==========================-+-==============
encfs | 1.3.2-1-1
libpam0g (>= 0.99.7.1) | 0.99.7.1-5
--- pam_encfs.c 2008-02-12 23:09:16.000000000 +0100
+++ ../pam_encfs.c.orig 2008-02-12 22:35:18.000000000 +0100
@@ -623,8 +623,7 @@
int retval;
pid_t pid;
char *targetpath;
- char *args[5];
- int t;
+ char *args[4];
// _pam_log(LOG_ERR,"Geteuid : %d",geteuid());
@@ -641,10 +640,8 @@
args[0] = "fusermount";
args[1] = "-u";
- //args[2] = "-z";
args[2] = targetpath;
args[3] = NULL;
- _pam_log(LOG_ERR, "Unmounting %s",targetpath);
switch (pid = fork())
{
@@ -660,8 +657,6 @@
exit(127);
}
- wait(&t);
-
/*We'll get this error every single time we have more than one session
active, todo fix this with some better checks + support fuser -km if no more
session connected.
if (checkmnt(targetpath)) {
_pam_log(LOG_ERR,"Failed to unmount %s",targetpath);
