Bug 1226452

Summary: pam-config: Faulty on user systemd services due to encrypted home dir
Product: [openSUSE] openSUSE Tumbleweed Reporter: Josesk Volpe <joseskvolpe>
Component: BasesystemAssignee: E-mail List <screening-team-bugs>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kukuk
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Josesk Volpe 2024-06-18 00:09:58 UTC 
Systemd is triggered before user home directory is unlocked with fscrypt or ecryptfs, which results on errors with some services.

To reproduce the issue i'm using fscrypt and onedriver (home:jstaf/packages/onedriver), i've setup to automount my OneDrive storage in a directory inside my home dir. After logging in i get an error about '/etc/mtab' not having the OneDriver entry. Changing the pam.d order in /etc/pam.d/common-session fixes that.

Fscrypt README (https://github.com/google/fscrypt?tab=readme-ov-file#enabling-the-pam-module-on-other-linux-distros) advices to call pam_fscrypt.so before pam_systemd.so.

The original file is found as:
session optional        pam_systemd.so
session required        pam_limits.so   
session required        pam_unix.so     try_first_pass
session optional        pam_umask.so    
session optional        pam_fscrypt.so
(...)

It should be:
session required        pam_limits.so   
session required        pam_unix.so     try_first_pass
session optional        pam_umask.so    
session optional        pam_fscrypt.so
session optional        pam_systemd.so
(...)


EXPECTED RESULTS: The user home directory must be unlocked before trying to execute any user service. This configuration must be automatically set by pam-config.

CURRENT RESULTS: SystemD is triggered to start user services before it's home directory is unlocked, which breaks some programs.
Comment 1 Thorsten Kukuk 2024-06-18 07:18:04 UTC 
This problem is not solvable, since they have a classical deadlock:

pam_systemd needs be be called before pam_krb5
pam_fscrypt needs to be called after pam_unix
pam_krb5 and pam_unix setup is so complex that you cannot put pam_systemd somewhere inbetween.

So if you don't use kerberos, you have maybe luck and it works if you change it manual.
Else: somebody needs to cleanup this dependency mess in the modules, this is nothing pam-config can solve.
Comment 2 Thorsten Kukuk 2024-06-20 08:47:10 UTC 
I made some changes, let's hope not too much else got broken by this.
Comment 4 OBSbugzilla Bot 2024-06-20 09:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1226452) was mentioned in
https://build.opensuse.org/request/show/1181887 Factory / pam-config