SUSE Support

Here When You Need Us

pam_mount issuing errors when unmounting e.g. a encrypted volume during logoff

This document (7024289) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12

Situation

System is setup to mount a encrypted volume during user logon using pam_mount:


Resp. the manual way:

- Create user 'user1'
- Setup a loop device to be used as encrypted volume
- cryptsetup luksFormat --type luks2 /dev/loop0  (type doesn't matter if luks1 or luks2)
- Create file /etc/pam_mount_keys/user1.key with a password contained
- cryptsetup luksAddKey /dev/loop0 /etc/pam_mount_keys/user1.key
- cryptsetup luksOpen /dev/loop0 enc_loop
- mkfs.ext4 -L USER1 /dev/mapper/enc_loop
- cryptsetup luksClose  enc_loop

To make use of pam_mount, install the package from the SLES repositories and

- Add the following in /etc/security/pam_mount.conf.xml
<volume user="user1" path="/dev/loop0" mountpoint="~"
        fstype="crypt" fskeycipher="none"
        fskeypath="/etc/pam_mount_keys/user1.key" />
- Add pam_mount.so as optional in /etc/pam.d/common-session and /etc/pam.d/common-auth
- Login with user user1 and check if the volume is mounted.

When logging off user1 the encrypted volume stays opened and the home directory still is mounted.
In syslog pam_mount logs:

> Oct 01 16:00:00 host1 systemd[12345]: (pam_mount.c:538): *** PAM_MOUNT WAS INVOKED WITH INSUFFICIENT PRIVILEGES. (euid=1000)
> Oct 01 16:00:00 host1 systemd[12345]: (pam_mount.c:539): *** THIS IS A BUG OF THE CALLER. CONSULT YOUR DISTRO.
> Oct 01 16:00:00 host1 systemd[12345]: (pam_mount.c:540): *** Also see bugs.txt in the pam_mount source tarball/website documentation.

Resolution


A simple work-around is to add the following line just before the "pam_mount.so" in /etc/pam.d/common-session:

session [success=1 default=ignore] pam_succeed_if.so service = systemd-user

Example common-session for a working setup:

session optional        pam_systemd.so
session required        pam_limits.so
session required        pam_unix.so     try_first_pass 
session optional        pam_umask.so
session optional        pam_env.so
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional        pam_mount.so

Cause

There are actually two problems: the (PAM-) session closing process "(sd-pam)"
1) is killed prematurely and
2) does not have the proper privileges to clean up what was set up during session opening.

So it's not caused by pam_mount alone but systemd has its stake, too, 
see https://github.com/systemd/systemd/issues/14029.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7024289
  • Creation Date: 25-Nov-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center