Bug 449646 - pam_mount encrypted home partition, login proceeds before home partition is available.
pam_mount encrypted home partition, login proceeds before home partition is a...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
9
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-02 18:12 EDT by Adam Serbinski
Modified: 2009-04-13 09:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-13 09:11:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Serbinski 2008-06-02 18:12:39 EDT
Description of problem:
When using pam_mount to mount encrypted home partition, login proceeds prior to
the mounted partition becoming available, leading to gconfd being unable to
locate its database. When logging in at runlevel 3, it fails to detect the home
directory and logs in with "/".

Version-Release number of selected component (if applicable):
0.32-3

How reproducible:
Most of the time. In GDM, usually misses loading gconf database the first time,
logging out and then back in again usually works. When logging in from console,
always produces the error that user's home directory does not exist.

Steps to Reproduce:
1. log in text console or gdm when using pam_mount to mount encrypted home
partition.
2.
3.
  
Actual results:
Login process attempts to access data in the home directory before home
directory is available.

Expected results:
Login process should wait until home directory is available before proceeding.

Additional info:
/etc/security/pam_mount.conf.xml:
<volume fstype="crypt" path="/dev/sda3" mountpoint="/home" />

/etc/pam.d/system-auth:
auth required pam_env.so
auth optional pam_mount.so
...
...
session required pam_unix.so
session optional pam_mount.so

An example of the gconf errors:
A GConf error has occurred: No database available to save your
configuration: Unable to store a value at key
'/apps/mail-notification/ui/properties-dialog/width', as the configuration
server has no writable databases. There are some common causes of this
problem: 1) your configuration path file /etc/gconf/2/path doesn't contain
any databases or wasn't found 2) somehow we mistakenly created two gconfd
processes 3) your operating system is misconfigured so NFS file locking
doesn't work in your home directory or 4) your NFS client machine crashed
and didn't properly notify the server on reboot that file locks should be
dropped. If you have two gconfd processes (or had two at the time the
second was launched), logging out, killing all copies of gconfd, and
logging back in may help. If you have stale locks, remove ~/.gconf*/*lock.
Perhaps the problem is that you attempted to use GConf from two machines
at once, and ORBit still has its default configuration that prevents
remote CORBA connections - put "ORBIIOPIPv4=1" in /etc/orbitrc. As always,
check the user.* syslog for details on problems gconfd encountered. There
can only be one gconfd per home directory, and it must own a lockfile in
~/.gconfd and also lockfiles in individual storage locations such as
~/.gconf.
*** Note: The applicable explanation is (1).


Text based login (note that pam_mount is set to debug output):
**** The bottom of this is particularly interesting!!
pam_mount(rdconf2.c:209) checking sanity of volume record (/dev/sda3)
pam_mount(pam_mount.c:535) about to perform mount operations
pam_mount(mount.c:409) information for mount:
pam_mount(mount.c:410) ----------------------
pam_mount(mount.c:411) (defined by globalconf)
pam_mount(mount.c:412) user:          username
pam_mount(mount.c:413) server:
pam_mount(mount.c:414) volume:        /dev/sda3
pam_mount(mount.c:415) mountpoint:    /home
pam_mount(mount.c:416) options:
pam_mount(mount.c:417) fs_key_cipher:
pam_mount(mount.c:418) fs_key_path:
pam_mount(mount.c:419) use_fstab:     0
pam_mount(mount.c:420) ----------------------
pam_mount(mount.c:182) realpath of volume /home is /home
pam_mount(mount.c:186) checking to see if /dev/mapper/_dev_sda3 is already
mounted at /home
pam_mount(mount.c:873) checking for encrypted filesystem key configuration
pam_mount(mount.c:899) about to start building mount command
pam_mount(misc.c:323) could not fill %(before=-o  OPTIONS)
pam_mount(misc.c:285) command: mount [-t] [crypt] [/dev/sda3] [/home]
pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
key slot 0 unlocked.
pam_mount(mount.c:104) mount errors:
pam_mount(mount.c:107) Command successful.
pam_mount(mount.c:933) waiting for mount
Filesystem    Type   1K-blocks      Used Available Use% Mounted on
/dev/sda2     ext3    20161204  12720632   6416432  67% /
proc          proc           0         0         0   -  /proc
sysfs        sysfs           0         0         0   -  /sys
devpts      devpts           0         0         0   -  /dev/pts
/dev/sda1     ext3      194442     18429    165974  10% /boot
tmpfs        tmpfs     1902180         0   1902180   0% /dev/shm
none   binfmt_misc           0         0         0   - 
/proc/sys/fs/binfmt_misc
sunrpc  rpc_pipefs           0         0         0   - 
/var/lib/nfs/rpc_pipefs
fusectl    fusectl           0         0         0   - 
/sys/fs/fuse/connections
/dev/mapper/_dev_sda3
              ext3   133475588  77705688  48989696  62% /home
pam_mount(pam_mount.c:134) clean system authtok (0)
pam_mount(misc.c:285) command: pmvarrun [-u] [username] [-o] [1]
pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
pam_mount(pam_mount.c:425) pmvarrun says login count is 2
pam_mount(pam_mount.c:548) done opening session (ret=0)
Last login: Mon Jun  2 17:54:53 on tty1
No directory /home/username!
Logging in with home = /.
[username@localhost /]$ ls -l /home
drwx------ 45 username username  4096 2006-06-02 17:58 username
drwx------  2 root     root     16384 2008-05-28 20:08 lost+found
[username@localhost /]$
Comment 1 Till Maas 2008-10-08 11:45:15 EDT
The version/release you provided implies that you used Fedora 8, but you selected Fedora 9 in the bug report. Which one are you using?

Also I was never able to reproduce this, here  on F8 gdm always waits until pam_mount is ready, which I notice especially, when it does a fsck of my home filesystem.

Can you please test pam_mount-0.49 which is going to be in updates-testing, soon?
Comment 2 Adam Serbinski 2008-10-08 17:11:13 EDT
0.32-3 is the version that initially shipped with F9 - i.e., no updates. The version has advanced since I initially reported this bug, I will try again with the current version (0.48) as well as with the testing version.
Comment 3 Jan Engelhardt 2008-10-17 12:03:35 EDT
It is possible for mount.crypt in versions <= 0.33 to not mount the volume because of the asynchronous nature of device creation.

See commit v0.33-8-g5fa73f6 which addressed this.
Comment 4 Till Maas 2009-02-03 04:58:54 EST
Adam, is this bug now fixed for you?

Note You need to log in before you can comment on or make changes to this bug.