systemd as an alternative to pam_mount?

Xyne · 2020-09-07 11:35:31

I use pam_mount to mount tmpfs directories for each user on login. The directories serve as sandboxed home directories with a script that manages symlinks to the "real" home directories. This helps me keep my home directories clean.
Although pam_mount gets the job done, there are 2 drawbacks that I would like to avoid: by default, the directories are not unmounted when the user logs out, and pam_mount requires changes to /etc/pam.d/system-login that I would rather just leave alone. Overall it feels like pam_mount is a bit of a hack and I worry that support will eventually be dropped.

I suspect that I can achieve the same setup with systemd and user sessions but I can't seem to find the relevant documentation. I asked the question back in 2012 but it wasn't possible then. Can anyone confirm if this has changed?

To give a concrete example, when user "foo" logs in, I want to mount a tmpfs filesystem to /home/tmp/foo.
/home/tmp/foo should be mounted before sourcing bash_profile and the various snippets in /etc/profile.d.
If "foo" logs in on multiple terminals simultaneously, only the first login should mount /home/tmp/foo and all other logins should detect that /home/tmp/foo is already mounted.
/home/tmp/foo should be unmounted when the last session of user "foo" logs out.

I would also like to be able to mount a luks encrypted partition for a user on login, but this does not seem to be possible. However, if I am mistaken, please tell me.

WorMzy · 2020-09-07 13:59:44

As System Administration is closed to regular users, I'm going to move this to Apps/DE.

Trilby · 2020-09-07 14:01:56

What about systemd --user units? Those temporary directories could then be handled by systemd-tmpfiles within the user session.

schard · 2020-09-07 14:20:40

Maybe also systemd-homed is an alternative option for your case.
Especially with DefaultFileSystemType=tmpfs set in homed.conf.

Last edited by schard (2020-09-07 14:21:14)

eschwartz · 2020-09-07 16:17:32

WorMzy wrote:

As System Administration is closed to regular users, I'm going to move this to Apps/DE.

Isn't that only for creating threads, not replying to them?

WorMzy · 2020-09-07 17:32:56

I'm not an admin so I can't check the specifics, but personally, I thought it was the former. However, we had a number of reports suggesting it is the latter so I moved the topic to be on the safe side.

Xyne · 2020-09-07 20:16:05

Sorry, I didn't consider the restrictions on the SA subforum when posting. Thanks for moving the thread.

@Trilby
The drawback of user units in my case is that they are located in the user directory, which is what I want to mount in tmpfs. It seems that I would need to copy the into the parent filesystem at /home/tmp/foo/.config/user-tmpfiles.d/ and then mount a tmpfs filesystem on top of it. I could probably make that work but it seems kludgy. The ideal would be able to use a system unit to mount a tmpfs directory for a user in a given group on login, before any files in the user's home directory are accessed.

I suppose that I could just manually create system instances of systemd-tmpfiles for each member of a given user group, which would be simple to script, but I don't know if I cat sync the mounting to user sessions.

@schard
I'll dig deeper into systemd-homed. So far I haven't been able to find anything about mounting tmpfs filesystems with it.

Trilby · 2020-09-07 20:59:14

Xyne wrote:

The drawback of user units in my case is that they are located in the user directory

Only those that are specific to a given user. They can also be in /etc/systemd/user/ and will be started at each users login.

eschwartz · 2020-09-07 21:55:50

Trilby wrote:

Xyne wrote:
The drawback of user units in my case is that they are located in the user directory
Only those that are specific to a given user. They can also be in /etc/systemd/user/ and will be started at each users login.

^^ This.

To set up a user unit via /etc/ managed enablement, use

systemctl enable --global <unit>

(This is happening for you right now since official repo packages set up user level sockets automatically in /etc/systemd/user/sockets.target.wants/ for socket-activated things like pulseaudio or the gpg-agent.)

Xyne · 2020-09-08 00:14:51

Here are my conclusions so far after playing around with systemd tmpfiles and mounts, as a reply to previous posts and to anyone else trying to achieve the same thing.

I can use systemd-tmpfiles to create a temporary directory but only on an existing filesystem (unless I've missed an option). While I could place all temporary user directories on a common tmpfs filesystem, my goal is to provide a separate tmpfs filesystem for each user for isolation to and avoid writing temporary date to disk. I see no way to do this with tmpfiles.

Systemd mounts initially seemed promising but I ran into the same problem that I encountered the last time I tried this (and subsequently forgot about it), namely that the "Where" option of the [Mount] section must match the file name. While the unit file supports specifiers such as "%u" as a placeholder for the invoking user's name, this doesn't seem to be supported in the name, even escaped with "systemd-escape -p --suffix=mount ...". I suppose that systemd's mount ordering requires absolute and unambiguous paths so there doesn't seem to be any way to template mount units. And even if it did support specifiers in the mount path, mount units can only be run by the system user. Separate system units per user seems to be the only way to do it, but that's manageable with a script.

As for mounting on login and logout, it seems that I can use automount units to mount the user tmpfs filesystems on demand when the user logs in, but the only automatic unmount option I see is based on an idleness timer. That won't work for me because I need to ensure that the tmpfs directory remains mounted until the user logs out to prevent data loss, even if the user idles for a few days or more.

I still need to check the options for tmpfs in systemd-homed.

It seems to be surprisingly difficult to just mount a tmpfs directory when a user logs in and unmount it when a user logs out.

fukawi2 · 2020-09-08 00:23:41

eschwartz wrote:

WorMzy wrote:
As System Administration is closed to regular users, I'm going to move this to Apps/DE.
Isn't that only for creating threads, not replying to them?

I've now made it completely Read Only. No-one can post new topics or replies to System Administration now.

seth · 2020-09-08 06:53:14

It seems to be surprisingly difficult to just mount a tmpfs directory when a user logs in and unmount it when a user logs out.

It actually is, because that's exactly what pam_mount does.
Unsing system-login should™ not get you the unmounting issues (that's a pam_auth issue, https://wiki.archlinux.org/index.php?ti … did=491553 ) and obviously, if you want to use more PAMs, you'll have to edit your pam config.
*shrug*

If you worry about bad things to happen if eg. some pam module (tally) is retracted and your config now broken (apparently happens ;-) you could maybe appeal the the maintainer of https://www.archlinux.org/packages/core/any/pambase/ to make it more generic by unconditionally including some system-login-local-config or system-login-custom (to avoid confusion w/ local-login)

Arch Linux

#1 2020-09-07 11:35:31

systemd as an alternative to pam_mount?

#2 2020-09-07 13:59:44

Re: systemd as an alternative to pam_mount?

#3 2020-09-07 14:01:56

Re: systemd as an alternative to pam_mount?

#4 2020-09-07 14:20:40

Re: systemd as an alternative to pam_mount?

#5 2020-09-07 16:17:32

Re: systemd as an alternative to pam_mount?

#6 2020-09-07 17:32:56

Re: systemd as an alternative to pam_mount?

#7 2020-09-07 20:16:05

Re: systemd as an alternative to pam_mount?

#8 2020-09-07 20:59:14

Re: systemd as an alternative to pam_mount?

#9 2020-09-07 21:55:50

Re: systemd as an alternative to pam_mount?

#10 2020-09-08 00:14:51

Re: systemd as an alternative to pam_mount?

#11 2020-09-08 00:23:41

Re: systemd as an alternative to pam_mount?

#12 2020-09-08 06:53:14

Re: systemd as an alternative to pam_mount?

Board footer