Bug 1747190 - Cannot use Systemd User Services with Ecryptfs
Summary: Cannot use Systemd User Services with Ecryptfs
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 30
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-29 21:11 UTC by Devon Maloney
Modified: 2019-09-17 07:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Devon Maloney 2019-08-29 21:11:18 UTC
Description of problem:

If I setup ecryptfs for my user (doing `sudo authselect select sssd with-ecryptfs with-pamaccess` in the process), I can no longer use systemd user services. `systemctl --user` does not see the services (in ~/.config/systemd/user) as existing at all until a `systemctl --user daemon-reload` is performed after login. Presumably this is due to the directory not being decrypted at the time that systemd is looking for them on login, much as in this issue: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1746527

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup ecryptfs (ecryptfs-migrate-home and the above authselect command among it)
2. Create a systemd user service and enable it
3. Reboot and try to do a `systemctl --user status <service>`

Actual results:

Service is missing

Expected results:

Service should be usable
Additional info:

Comment 1 Pavel Březina 2019-09-16 08:09:31 UTC
Can you copy and paste /etc/pam.d/system-auth and /etc/pam.d/postlogin please?

Comment 2 Devon Maloney 2019-09-16 20:28:09 UTC

# Generated by authselect on Fri Sep  6 01:08:01 2019
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_access.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_ecryptfs.so unwrap
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so


# Generated by authselect on Fri Sep  6 01:08:01 2019
# Do not modify this file manually.

auth        optional                   pam_ecryptfs.so unwrap

password    optional                   pam_ecryptfs.so unwrap

session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp showfailed
session     optional                   pam_lastlog.so silent noupdate showfailed

Hm, seems like pam_ecryptfs.so unwrap *does* occur bfore

Comment 3 Pavel Březina 2019-09-17 07:45:05 UTC
So pam_ecryptfs is called before pam_systemd in session phase which is correct. Even the issue mentioned in the bug description advice this order as a fix.

I'm moving this bug to systemd for further investigation.

Note You need to log in before you can comment on or make changes to this bug.