Trigger on user logout?
Hi, I'm trying to make an encrypted home directory which is mounted/unmounted on login/logout. Mounting it on login was the easy part ( with a custom login style ), but is there any way to unmount it on logout ( short from modifying init ) ? I want to alter the system as little as possible, so I'm kinda reluctant to modify such a key component as init. I hope I missed something, but the only places I see where those 2 function calls (unmount and ioctl) could be inserted are the shell ( ugly ugly ) or the init. If anybody has any ideas, I would really appreciate advice. Thanks.
Re: Trigger on user logout?
Thanks for advices. All these methods would definitely work, but the problem with shell logout file is that vnconfig/umount both need to be executed as root. Of course, its possible to make it work that way ( with sudo, suid bit, etc ), but that would be kinda complicated ( there would have to be an extra suid program which does the real work ). Cron job is an interesting idea, but the problem with that is the time delay before filesystem becomes inaccessible. What I'm trying to do is to make all this mechanism transparent to the shell ( something similar to the login styles ), but I get the feeling that I'll have to go with the logout file approach... On 11/7/05, Richard P. Koett <[EMAIL PROTECTED]> wrote: > Uosis L wrote: > > Hi, > > > > I'm trying to make an encrypted home directory which is > > mounted/unmounted on login/logout. > > Mounting it on login was the easy part ( with a custom login style ), > > but is there any way to unmount it on logout ( short from modifying > > init ) ? I want to alter the system as little as possible, so I'm > > kinda reluctant to modify such a key component as init. I hope I > > missed something, but the only places I see where those 2 function > > calls (unmount and ioctl) could be inserted are the shell ( ugly ugly > > ) or the init. > > > > If anybody has any ideas, I would really appreciate advice. > > > > Thanks. > > I'm not sure why you say using the shell is ugly. With /bin/sh > you could add something like this to your .profile: > > trap "/sbin/umount $HOME" EXIT
Re: Trigger on user logout?
They definitely could change the password( just as in a regular non-encrypted setup ). I simply modified login_passwd style a little bit so that when user logins and authenticates via the regular method, the same password is used to attach a vnd device, which is then mounted. So yes, you could change the user( or even root) password without even needing a physical access - root account would suffice (but if you have root account you might just as well read the real password from the memory ). But they would not be able to mount the home directory. As far as I know the only way to avoid this is to encrypt the entire root partition ( or at least /etc ). On 11/7/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of > > Uosis L > > Sent: Monday, November 07, 2005 3:29 PM > > To: Richard P. Koett > > Cc: misc@openbsd.org > > Subject: Re: Trigger on user logout? > > > > Thanks for advices. > > > > All these methods would definitely work, but the problem with shell > > logout file is that vnconfig/umount both need to be executed as root. > > Of course, its possible to make it work that way ( with sudo, suid > > bit, etc ), but that would be kinda complicated ( there would have to > > be an extra suid program which does the real work ). Cron job is an > > interesting idea, but the problem with that is the time delay before > > filesystem becomes inaccessible. What I'm trying to do is to make all > > this mechanism transparent to the shell ( something similar to the > > login styles ), but I get the feeling that I'll have to go with the > > logout file approach... > > I guess this means that the home directory is encrypted in a way that > the user's login password ends up protecting the directory. In your > setup, would someone with access to the physical disk be able to change > the user's password and then login as that user?
Re: Trigger on user logout?
That's a very good point. I guess the logout script would have to check if there are any other processes from that user before unmounting the filesystem. It would work the same way you suggested with cron, except only called on logout, so it would have an immediate effect. On 11/7/05, Ted Unangst <[EMAIL PROTECTED]> wrote: > On 11/7/05, ober <[EMAIL PROTECTED]> wrote: > > Put a umount command in the ~/.logout? > > Should work for csh atleast. > > until you login twice and logout once.
