1226452 – pam-config: Faulty on user systemd services due to encrypted home dir

Bug 1226452 - pam-config: Faulty on user systemd services due to encrypted home dir

Summary: pam-config: Faulty on user systemd services due to encrypted home dir

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	All openSUSE Tumbleweed

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-18 00:09 UTC by Josesk Volpe
Modified:	2024-06-20 09:25 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josesk Volpe 2024-06-18 00:09:58 UTC

Systemd is triggered before user home directory is unlocked with fscrypt or ecryptfs, which results on errors with some services.

To reproduce the issue i'm using fscrypt and onedriver (home:jstaf/packages/onedriver), i've setup to automount my OneDrive storage in a directory inside my home dir. After logging in i get an error about '/etc/mtab' not having the OneDriver entry. Changing the pam.d order in /etc/pam.d/common-session fixes that.

Fscrypt README (https://github.com/google/fscrypt?tab=readme-ov-file#enabling-the-pam-module-on-other-linux-distros) advices to call pam_fscrypt.so before pam_systemd.so.

The original file is found as:
session optional        pam_systemd.so
session required        pam_limits.so   
session required        pam_unix.so     try_first_pass
session optional        pam_umask.so    
session optional        pam_fscrypt.so
(...)

It should be:
session required        pam_limits.so   
session required        pam_unix.so     try_first_pass
session optional        pam_umask.so    
session optional        pam_fscrypt.so
session optional        pam_systemd.so
(...)


EXPECTED RESULTS: The user home directory must be unlocked before trying to execute any user service. This configuration must be automatically set by pam-config.

CURRENT RESULTS: SystemD is triggered to start user services before it's home directory is unlocked, which breaks some programs.

Comment 1 Thorsten Kukuk 2024-06-18 07:18:04 UTC

This problem is not solvable, since they have a classical deadlock:

pam_systemd needs be be called before pam_krb5
pam_fscrypt needs to be called after pam_unix
pam_krb5 and pam_unix setup is so complex that you cannot put pam_systemd somewhere inbetween.

So if you don't use kerberos, you have maybe luck and it works if you change it manual.
Else: somebody needs to cleanup this dependency mess in the modules, this is nothing pam-config can solve.

Comment 2 Thorsten Kukuk 2024-06-20 08:47:10 UTC

I made some changes, let's hope not too much else got broken by this.

Comment 4 OBSbugzilla Bot 2024-06-20 09:25:03 UTC

This is an autogenerated message for OBS integration:
This bug (1226452) was mentioned in
https://build.opensuse.org/request/show/1181887 Factory / pam-config