# pam_mount does not umount home directory upon logout

## tomblue

Hi all,

I've got my home directory on an encrypted partition that gets automatically mounted upon login. This works fine:

```
su - herbert

pam_mount(pam_mount.c:458): pam_mount 1.8: entering session stage

pam_mount(pam_mount.c:479): back from global readconfig

pam_mount(pam_mount.c:481): per-user configurations not allowed by pam_mount.conf.xml

pam_mount(pam_mount.c:202): enter read_password

reenter password for pam_mount:

pam_mount(misc.c:38): Session open: (uid=0, euid=0, gid=1000, egid=1000)

pam_mount(rdconf2.c:180): checking sanity of volume record (/dev/hda4)

pam_mount(pam_mount.c:536): about to perform mount operations

pam_mount(mount.c:181): Mount info: globalconf, user=herbert <volume server="(null)" path="/dev/hda4" mountpoint="/home" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="fsck" /> fstab=0

pam_mount(mount-sysv.c:57): realpath of volume "/home" is "/home"

pam_mount(mount-sysv.c:61): checking to see if /dev/hda4 is already mounted at /home

pam_mount(mount.c:494): checking for encrypted filesystem key configuration

pam_mount(mount.c:497): about to start building mount command

command: [mount.crypt] [-ofsck] [/dev/hda4] [/home] 

pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1000, egid=1000)

pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)

Password: 

key slot 1 unlocked.

pam_mount(mount.c:75): mount errors:

pam_mount(mount.c:78): Command successful.

fsck 1.41.3 (12-Oct-2008)

/dev/mapper/_dev_hda4: clean, 466/3538944 files, 4634915/7064326 blocks

pam_mount(mount.c:539): waiting for mount

Filesystem    Type   1K-blocks      Used Available Use% Mounted on

rootfs      rootfs    10317860   6581408   3317156  67% /

/dev/root     ext2    10317860   6581408   3317156  67% /

/proc         proc           0         0         0   -  /proc

rc-svcdir    tmpfs        1024        92       932   9% /lib/rc/init.d

sysfs        sysfs           0         0         0   -  /sys

udev         tmpfs       10240        80     10160   1% /dev

devpts      devpts           0         0         0   -  /dev/pts

shm          tmpfs      125500         0    125500   0% /dev/shm

usbfs        usbfs           0         0         0   -  /proc/bus/usb

/dev/hda4    crypt    27813076  18095432   8304780  69% /home

command: [pmvarrun] [-u] [herbert] [-o] [1] 

pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1000, egid=1000)

pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)

pam_mount(pam_mount.c:418): pmvarrun says login count is 1

pam_mount(pam_mount.c:550): done opening session (ret=0)
```

 /home is mounted successfully. Upon logout /home is supposed to be unmounted. An then it happens:

```
logout

pam_mount(pam_mount.c:592): received order to close things

pam_mount(misc.c:38): Session close: (uid=1000, euid=1000, gid=1000, egid=1000)

command: [pmvarrun] [-u] [herbert] [-o] [-1] 

pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=1000, gid=1000, egid=1000)

pam_mount(spawn.c:101): error setting uid to 0

pmvarrun(pmvarrun.c:445): could not unlink /var/run/pam_mount/herbert: Permission denied

pam_mount(pam_mount.c:418): pmvarrun says login count is 0

pam_mount(mount.c:673): going to unmount

pam_mount(mount.c:181): Mount info: globalconf, user=herbert <volume server="(null)" path="/dev/hda4" mountpoint="/home" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="fsck" /> fstab=0

command: [umount.crypt] [/home] 

pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=1000, gid=1000, egid=1000)

pam_mount(spawn.c:101): error setting uid to 0

pam_mount(mount.c:75): umount errors:

pam_mount(mount.c:78): umount: /home is not in the fstab (and you are not root)

pam_mount(mount.c:78): umount /home failed with run_sync status 2

pam_mount(mount.c:78): mlockall failed: Cannot allocate memory

pam_mount(mount.c:78): WARNING!!! Possibly insecure memory. Are you root?

pam_mount(mount.c:78): Command failed: Failure to communicate with kernel device-mapper driver.

pam_mount(mount.c:78): mlockall failed: Cannot allocate memory

pam_mount(mount.c:78): WARNING!!! Possibly insecure memory. Are you root?

pam_mount(mount.c:78): Command failed: Failure to communicate with kernel device-mapper driver.

pam_mount(mount.c:340): waiting for umount

pam_mount(mount.c:676): unmount of /dev/hda4 failed

pam_mount(pam_mount.c:633): pam_mount execution complete

pam_mount(pam_mount.c:115): Clean global config (0)

```

Appearently I need to be "root" to umount but setting uid=0 fails  *Quote:*   

> pam_mount(spawn.c:101): error setting uid to 0

  due to something...

I'm using "sys-auth/pam_mount-1.8". My pam_mount.conf.xml

```
<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<pam_mount>

<volume user="herbert" fstype="crypt" path="/dev/hda4" mountpoint="/home"

        options="fsck"/>

<debug enable="1" />

<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />

<mntoptions require="nosuid,nodev" />

<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />

<mkmountpoint enable="1" remove="true" />

</pam_mount>
```

Does anyone have an idea what causes this and how to fix it? Any help appreciated.

Thanks a lot!

----------

## Bircoph

Same here (pam_mount-1.25-r1, pam-1.0.4).

Unfortunately this is very old standing problem. The reason is that pam_mount privileges are dropped to early by su (and some other programs), actually su drops them after login, but pam_mount needs them during all time.

There are some links:

https://bugs.launchpad.net/ubuntu/+source/libpam-mount/+bug/117736

http://www.redhat.com/archives/pam-list/2003-April/msg00015.html

http://www.archivum.info/debian-bugs-dist%40lists.debian.org/2007-09/msg22233.html

[...]

This bug is widely observed on gentoo, debian, ubuntu. But it works somehow on RedHat (at least as of Fedora 9), maybe some pam/su patches, I should investigate this one day...

There is another approach: you could specify your own cryptumount program in the pam_mount.conf. However, curretly (as of version 1.25-r1) pam_mount parser is broken: it ignores cryptumount option; currently it is fixed in 1.26, but it is still not in the portage. Just create your own SUID wrapper around mount.crypt, set o-rwx and allow g+x only for trusted group. This should help.

----------

## jowr

I get this problem too. Sometimes.

It is rather inconsistent, but given this is a single user system I don't see it being much of an issue.

----------

## Bircoph

 *jowr wrote:*   

> 
> 
> It is rather inconsistent
> 
> 

 

Can you describe this in a greater detail?

I have this problem when using su or ssh login, I have not this problem with kdm or console logins.

 *Quote:*   

> 
> 
> but given this is a single user system I don't see it being much of an issue.

 

No, really, this is a very serious problem. Even on single (physical) user system you often need several users: e.g. one user for "normal" operations, and the other one for "secure", obviously the latter needs secure home/tmp and the most often used way to login will be su.

----------

