This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 722323

Summary: /etc/pam.d/su does not support ecryptfs mount of "Private"
Product: [Fedora] Fedora Reporter: Piergiorgio Sartor <piergiorgio.sartor>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: admiller, jonathan, kdudka, kzak, maxamillion, mhlavink, mluscon, ovasik, p, tmraz, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-18 21:30:20 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Piergiorgio Sartor 2011-07-14 17:40:11 EDT
Description of problem:
Changing user with "su" does not result, even if properly setup, in ~/Private mounted, as it does for other login cases.

Version-Release number of selected component (if applicable):
coreutils-8.10-2.fc15.i686

How reproducible:
Always

Steps to Reproduce:
1.
Login using ssh, see bug #718807
2.
Use "su - user" in order to re-login
  
Actual results:
~/Private is not mounted

Expected results:
~/Private should be mounted

Additional info:
As mentioned in bug #718807, it seems the pam configuration is not correct since "postlogin" is not include in "/etc/pam.d/su" and maybe others.
Comment 1 Ondrej Vasik 2011-07-15 10:01:33 EDT
Fixed in Rawhide - coreutils-8.12-2.fc16 - http://lists.fedoraproject.org/pipermail/scm-commits/2011-July/628365.html ... could you please check that the changes are sufficient ?
Comment 2 Piergiorgio Sartor 2011-07-15 14:20:05 EDT
Nope...

I get:

$ su - atest
Password: 
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

Of course, the interactive works fine.

This might be related to bug #722445 comment #1.
Comment 3 Piergiorgio Sartor 2011-07-15 14:21:39 EDT
Argh, I pressed return...

Nothing, just added CC Michal Hlavinka to this issue, maybe he can confirm it's the same as the ssh one.

Thanks,

bye,

pg
Comment 4 Piergiorgio Sartor 2011-08-13 05:13:36 EDT
Hi again,

I tried ecryptfs-utils-90-1.fc16.i686 with the same results.

dmesg reports:

ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid]

and in /var/log/messages there is:

... kernel: [ 1879.520439] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid]
... su: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present

Hope this helps,

bye,

pg
Comment 5 Ondrej Vasik 2011-08-13 11:02:21 EDT
Adding Tomas Mraz - pam maintainer - to CC as well.
Comment 6 Ondrej Vasik 2011-09-09 07:04:25 EDT
According to https://bugzilla.redhat.com/show_bug.cgi?id=487088#c44 (which was likely a blocker for this one) there should be ecryptfs-utils-90-2.fc15 in updates testing. Could you please if this updated ecryptfs-utils package makes some change?
Comment 7 Piergiorgio Sartor 2011-09-20 03:18:26 EDT
(In reply to comment #6)
> According to https://bugzilla.redhat.com/show_bug.cgi?id=487088#c44 (which was
> likely a blocker for this one) there should be ecryptfs-utils-90-2.fc15 in
> updates testing. Could you please if this updated ecryptfs-utils package makes
> some change?

Uhm, nope.

Same error about key not available.

The kernel module was anyway loaded, since the user from which the "su" was done had already the "Private" folder mounted (encrypted, of course).

Hope this helps,

bye,

pg
Comment 8 Michal Hlavinka 2011-09-20 09:52:13 EDT
For some reason, pam_ecryptfs module is not called. You can check this by looking at /var/log/{messages,secure}. Look for something like:

Sep 20 15:37:16 krles sshd[4579]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module

(this is first thing in pam_ecryptfs, so there's no way pam_ecryptfs being called & message in log missing)

Reason for this:
> $ su - atest
> Password: 
> keyctl_search: Required key not available
> Perhaps try the interactive 'ecryptfs-mount-private'

is that it calls pam_ecryptfs module in session stack (it should be called in both)

I've verified this:

# authconfig --enableecryptfs --updateall
# useradd -G ecryptfs etest
# passwd etest
# ssh etest@localhost
$ ecryptfs-setup-private
$ keyctl clear @u
$ logout
$ su - etest #not from root account!

log contains only:
Sep 20 15:36:57 krles su: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present

which is expected result for case where pam_ecryptfs is called in session stack and not in the auth stack too

/etc/pam.d/su on my system contains
auth            include         postlogin

I have no idea, why pam does not call it in this case...
Comment 9 Ondrej Vasik 2012-07-16 07:49:46 EDT
Cleanup - since F15 is close to EOL and I think this should be solved in F16 coreutils, setting needinfo on reporter. Is this still an issue for you?
Comment 10 Piergiorgio Sartor 2012-07-16 14:10:41 EDT
Hi Ondrej,

I'm actually on F17 and it does not work either (F16 was not working too).

Basically, login or user change or ssh localhost do work, the "Private" folder is mounted. "su - ..." does not work.
The following error is shown:

keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

So I updated the release to F17, since the problem is there too.

bye,

pg
Comment 11 Ondrej Vasik 2012-11-05 04:32:40 EST
su moved to util-linux...
Comment 12 Tomas Mraz 2012-11-05 05:35:08 EST
I see that (at least on Fedora 16) there is

auth		include		system-auth

in /etc/pam.d/su which is incorrect. There should be
auth            substack        system-auth
instead.

Otherwise the postlogin include is not being processed if there is f.e. sufficient module in the system-auth include.
Comment 13 Karel Zak 2012-11-05 05:40:35 EST
(In reply to comment #11)
> su moved to util-linux...

yes, in f19... reassigning back to coreutils. I guess the bug should be fixed in f17 and f18 too.
Comment 14 Piergiorgio Sartor 2012-11-05 11:33:00 EST
Hi all,

in my system, F17, the ecryptfs stuff seems to be in "postlogin".

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        optional      pam_ecryptfs.so unwrap

password    optional      pam_ecryptfs.so unwrap

session     optional      pam_ecryptfs.so unwrap

"postlogin" is _include-d_ (not "substack-ed") in all relevant pam configuration files, but "passwd".

Has "system-auth" anything to do with "ecryptfs"?

If it must be "substack-ed", why all others use "include"?

Thanks,

bye,

pg
Comment 15 Tomas Mraz 2012-11-05 13:56:54 EST
(In reply to comment #14)
> "postlogin" is _include-d_ (not "substack-ed") in all relevant pam
> configuration files, but "passwd".
In case of postlogin and also other module types (account, session) it does not matter whether they are included or substacked.

> Has "system-auth" anything to do with "ecryptfs"?

> If it must be "substack-ed", why all others use "include"? 

Because modules in auth in the system-auth file use sufficient to end the authentication stack on success and if it is just included it will end the whole authentication. If it is substacked only the substack will finish.
Comment 16 Fedora Update System 2012-11-06 07:46:04 EST
coreutils-8.17-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/coreutils-8.17-6.fc18
Comment 17 Fedora Update System 2012-11-06 07:47:44 EST
coreutils-8.15-8.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/coreutils-8.15-8.fc17
Comment 18 Fedora Update System 2012-11-06 08:19:33 EST
coreutils-8.12-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/coreutils-8.12-8.fc16
Comment 19 Fedora Update System 2012-11-06 13:53:01 EST
Package coreutils-8.17-6.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing coreutils-8.17-6.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17694/coreutils-8.17-6.fc18
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2012-11-18 21:30:24 EST
coreutils-8.15-8.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2012-11-22 22:11:49 EST
coreutils-8.12-8.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.