Package: libpam-encfs
Version: 0.1.4.1-2
Severity: normal
Tags: patch
--- Please enter the report below this line. ---
I use libpam-encfs with a special configuration file for (currently) only one
user that mounts a subdirectory of the home-dir for security-specific files.
Config file /etc/security/pam_encfs.conf contains the line
hmarkert/home/hmarkert/.sync/home/hmarkert/sync -v -
where sync is the encrypted directory. I disabled the auto-unmont, because
obviously the active session will not always keep files open and hence
unmounts the directory every few minutes, which is very annoying. So I
configured
session requiredpam_encfs.so
in /etc/pam.d/common-session.
However, unmounting on session end does not relieably work. I looked into the
source code of pam_encfs.c and did not find anything looking relevant.
However, for me it works if I add a wait()-call in the parent after the fork
that executes fusermount -u on the home directory. I attached a diff with the
changes.
I would further suggest to add a session counter in pam_encfs.c if there is
any possibility to have something like static variables in a pam-plugin (I am
not experienced with pam). This would avoid unmounting of the file system if
on another console another session of the same user is running.
Best,
Heiner
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.22-3-686
Debian Release: lenny/sid
700 testing security.debian.org
700 testing ftp.de.debian.org
700 testing debian-multimedia.informatik.uni-erlangen.de
700 testing deb.opera.com
1 experimentalftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
==-+-==
encfs | 1.3.2-1-1
libpam0g (= 0.99.7.1) | 0.99.7.1-5
--- pam_encfs.c 2008-02-12 23:09:16.0 +0100
+++ ../pam_encfs.c.orig 2008-02-12 22:35:18.0 +0100
@@ -623,8 +623,7 @@
int retval;
pid_t pid;
char *targetpath;
-char *args[5];
-int t;
+char *args[4];
// _pam_log(LOG_ERR,Geteuid : %d,geteuid());
@@ -641,10 +640,8 @@
args[0] = fusermount;
args[1] = -u;
-//args[2] = -z;
args[2] = targetpath;
args[3] = NULL;
-_pam_log(LOG_ERR, Unmounting %s,targetpath);
switch (pid = fork())
{
@@ -660,8 +657,6 @@
exit(127);
}
-wait(t);
-
/*We'll get this error every single time we have more than one session
active, todo fix this with some better checks + support fuser -km if no more
session connected.
if (checkmnt(targetpath)) {
_pam_log(LOG_ERR,Failed to unmount %s,targetpath);