[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
@Jari: Just tested it myself, I added (user="USERNAME") to my pam_mount.xml and it works now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
Haven't seen this problem for a while and just tested on 14.04: Seems it has been fixed somewhere in the last two years. So I guess this bug report could be closed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
aldebx, by "restricting the directive in pam_mount.xml to a specific user " workaround you mean sudo, as for sudoedit there is no workaround? Or does sudoedit behave normally for you after editing just pam_mount.xml? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
@ Moritz - Thank you for your insightful debugging of this issue. As you anticipated, I confirm that restricting the directive in pam_mount.xml to a specific user (user="USERNAME") is a valid workaround. I also would like to add that my suggested workaround (i.e. commenting out @pam-mount in "common-session-noninteractive" breaks authentication systems used also on desktop systems. Please discard it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
I am orphaning the bug given that there has been no interaction with the assignee since the bug has been opened. If you are still interested in fixing this bug, please drop a line on the work progress. Thanks. ** Changed in: sudo (Ubuntu) Status: In Progress => Confirmed ** Changed in: sudo (Ubuntu) Assignee: TJ (intuitivenipple) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
Thanks Moritz for debugging, I believe that you are correct. Especially as my /etc/security/pam_mount.conf.xml contains instructions only for the user, not root, I did not get any trouble with sudo. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
Just checked sudo's behavior regarding the login count. It consistently
uses the user "root" before and after the given command:
[BEGIN OF LOG]
[sudo] password for USER:
pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(pam_mount.c:614): no volumes to mount
command: 'pmvarrun' '-u' 'root' '-o' '1'
pam_mount(misc.c:38): set_myuid: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:440): pmvarrun says login count is 1
pam_mount(pam_mount.c:645): done opening session (ret=0)
uid=0(root) gid=0(root) Gruppen=0(root)
pam_mount(pam_mount.c:691): received order to close things
pam_mount(pam_mount.c:693): No volumes to umount
command: 'pmvarrun' '-u' 'root' '-o' '-1'
pam_mount(misc.c:38): set_myuid: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 1
pam_mount(pam_mount.c:440): pmvarrun says login count is 0
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
pam_mount(pam_mount.c:132): clean system authtok=0x151b270 (1073741824)
[END OF LOG]
@aldebx:
I can reproduce your problem with sudo in version 1.8.3p1-1ubuntu3.2:
My mount-line in /etc/security/pam_mount.conf.xml is limited to user
"user=USER". If I change this to "user=root" or remove the limitation
altogether, I get "reenter password for pam_mount" when running "sudo id". Can
you confirm this is similar to your config?
Without such a change to my configs, you can see in the above sudo log
that pam_mount would like to mess with mounts too but can't because
there are none available for user root ("no volumes to mount").
So IMHO there are two different issues to address:
1. fixing sudo/sudoedit:
sudoedit's interaction with pam_mount regarding the user is bogus. It should be
just like sudo does it. (Why is it different in the first place?)
2. fixing pam_mount:
- First, there are good reasons to run pam_mount from sudo: Consider a user
cron job running "sudo foo" where the user is allowed (by /etc/sudoers) to run
"sudo foo" without entering a password. The Command "foo" may need access to a
certain partition. The partition may be mounted on-demand by pam_mount for
various reasons (to save resources, ...).
- But there is absolutely no use in asking for a unlock password in this use
case. So pam_mount should skip encrypted partitions if there is no way to ask
for a password (This may already be the current behavior. I haven't tested it.)
- If there is an encrypted partition for user root available that is not yet
mounted and we're in an interactive shell, ask for the password to unlock it.
If root does not need the mount, then don't configure it this way.
- If a partition is already mounted by pam_mount, even because of another users
login-session, pam_mount should not try to mount it again and therefore not ask
for a password. It should keep track of unlocked and mounted partitions for
this.
- pam_mount is too eager to unmount partitions. It should only unmount them
when the login counts of _all_ affected users reach 0. Affected users are all
those for which pam_mount would have tried to mount the partition on login.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/996806
Title:
sudoedit triggers pam_mount to enquire the password of the encrypted
partition, trying to mount it and later to umount it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
Hi, I'm affected too and would like to provide some additional information: I suspect this bug is not caused by _how often_ pam_mount is called but rather a mixup of the user it is run under. When running sudoedit, before the editor component is started, pam_mount always tries to mount the partition. So while the editor is shown, the partition is always mounted. Either because it has been mounted before or because it got mounted here. pam_mount also increases the login-count of the normal user (not root!) issuing the sudoedit command. After you close the editor pam_mount decreases the login count for root (not the above user!) and as there are no counted logins for root, it always decides to unmount the partition. So after sudoedit is finished the partition is always unmounted regardless of its state before running sudoedit. So after using sudoedit for the first time after kdm/whatever login the mount is gone. It seems to me, sudoedit is opening a new session for user $USER but then closing one for user "root". See the following log produced with pam_mount debugging enabled: [BEGIN OF LOG] USER@USER:~$ cat /var/run/pam_mount/USER 0x3 USER@USER:~$ LC_ALL=C sudoedit foo [sudo] password for USER: pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage pam_mount(misc.c:38): Session open: (ruid/rgid=0/2000, e=0/2000) pam_mount(mount.c:218): Mount info: globalconf, user=USER fstab=0 ssh=0 command: 'mount' '-t' 'crypt' '-ofsck,acl,user_xattr,relatime' '/dev/disk/by-uuid/UUID_OF_LUKS_PARTITION' '/media/data' pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) [... pam_mount(misc.c:380): ... [List of all previously active mounts ...] [the newly mounted partition:] pam_mount(misc.c:380): 21 20 252:5 / /media/data rw,relatime - ext4 /dev/mapper/_dev_dm_2 rw,user_xattr,acl,barrier=1,data=ordered command: 'pmvarrun' '-u' 'USER' '-o' '1' pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pmvarrun(pmvarrun.c:252): parsed count value 3 pam_mount(pam_mount.c:440): pmvarrun says login count is 4 pam_mount(pam_mount.c:645): done opening session (ret=0) Processing '/etc/joe/editorrc'...Processing '/etc/joe/ftyperc'...done done [... editor opens. close it without saving ...] File /var/tmp/foo.XXOuqivj not changed so no update needed pam_mount(pam_mount.c:691): received order to close things pam_mount(misc.c:38): Session close: (ruid/rgid=0/2000, e=0/2000) command: 'pmvarrun' '-u' 'root' '-o' '-1' pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pmvarrun(pmvarrun.c:252): parsed count value 0 pam_mount(pam_mount.c:438): error reading login count from pmvarrun pam_mount(mount.c:749): going to unmount pam_mount(mount.c:218): Mount info: globalconf, user=USER fstab=0 ssh=0 command: 'pmt-ofl' '-k0' '/media/data' command: 'umount' '/media/data' pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/2000, e=0/2000) pam_mount(pam_mount.c:728): pam_mount execution complete pam_mount(pam_mount.c:115): Clean global config (1073741824) pam_mount(pam_mount.c:132): clean system authtok=0x14bbd70 (1073741824) sudoedit: foo unchanged USER@USER:~$ cat /var/run/pam_mount/USER 0x4 [END OF LOG] One can see that "pmvarrun" is run with different user names before and after the editor. By the way: Whether sudoedit is called for the first time requiring a password or with cached password does not change anything, except for the prompt "reenter password for pam_mount:" instead of the sudo password prompt right at the start. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
As reported by Stewart Prescott [1], this error is triggered when the system invokes pam-mount twice, which means that pam-mount tries to mount the volume twice as a result and the second time fails because the mount point is not empty. Currently, this seems to be a bug of the default packaging rather than an user misconfiguration since even by resetting to default values via command pam-auth-update do not fix the situation. In Ubuntu 12.04 pam-mount is referenced in 3 files: common-auth common-session common-session-noninteractive and given that /etc/pam.d/sudo calls #%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive therefore pam-mount is called twice (common-auth and common- noninteractive) By removing (commenting out) the reference to pam-mount in "common- session-noninteractive" this error does not appear any more, without compromising any feature on non-server machines. By the way, in my case the exact same error referenced in this bug does not appear only with sudoedit, but also with sudo itself updated to the latest version 1.8.3p1-1ubuntu3.1 [1] http://nanonanonano.net/linux/debian/enchome ** Also affects: user-mounts Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/user-mounts/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 996806] Re: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it.
** Changed in: sudo (Ubuntu) Assignee: (unassigned) => TJ (intuitivenipple) ** Changed in: sudo (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/996806 Title: sudoedit triggers pam_mount to enquire the password of the encrypted partition, trying to mount it and later to umount it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/996806/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
