You are not logged in.
Hi there,
I use LUKS to encrypt my home directory and would like to mount it while logging in with pam_mount.
The mounting on log in part is working so far, but unmounting fails with the following error:
systemd[13301]: (pam_mount.c:538): *** PAM_MOUNT WAS INVOKED WITH INSUFFICIENT PRIVILEGES. (euid=1000)
systemd[13301]: (pam_mount.c:539): *** THIS IS A BUG OF THE CALLER. CONSULT YOUR DISTRO.
systemd[13301]: (pam_mount.c:540): *** Also see bugs.txt in the pam_mount source tarball/website documentation.I already found some posts on this topic but they all seem to address some older version of systemd.
I tried putting pam_mount in /etc/pam.d/{system-auth,system-login,system-local-login} and putting it before and after pam_systemd but none of that works.
It seems that logind drops the privileges and thus pam_mount can't unmount the volume any more.
This ubuntu bug report seems to be about the same problem although I'm not sure how relevant it is for Arch.
My /etc/security/pam_mount.conf.xml looks like this:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="0" />
<!-- Volume definitions -->
<volume fstype="crypt" user="myusername" path="/dev/path/to/luks/volume" mountpoint="~" />
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>$ systemctl --version
systemd 218
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN
$ pacman -Qi pam_mount | grep Version
Version : 2.14-1
$ uname -a
Linux myhost 3.18.2-2-ARCH #1 SMP PREEMPT Fri Jan 9 07:37:51 CET 2015 x86_64 GNU/LinuxIs there a way to make this work?
I consider unmounting a LUKS volume on logout a very security critical thing so I hope there is a way to do it.
Offline
The wiki page about pam_mount has a big red warning that says unmounting does not work.
It is better to use crypttab instead of pam_mount, unless you have multiple users who don't share the passphrase.
Offline
The wiki page about pam_mount has a big red warning that says unmounting does not work.
It is better to use crypttab instead of pam_mount, unless you have multiple users who don't share the passphrase.
Yes, I saw that warning, but I hoped it was more of a "it doesn't work right now".
Also I need it that way (i.e. unlocking home partition with pam password).
Offline
It seems to work when I disable "pam_systemd.so" but then logind doesn't work for this session...
Offline