Debian Bug report logs - #639391
sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Schuerig <michael@schuerig.de>

To: submit@bugs.debian.org

Subject: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Fri, 26 Aug 2011 20:25:31 +0200

Package: sudo
Version: 1.8.2-1
Severity: important


After upgrading sudo, I noticed that my ecryptfs encrypted home
directory was unmounted after using sudo. Specifically, after
a newly authenticated a sudo session was finished.

The encrypted home dir is mounted automatically through
pam_ecryptfs.so and is meant to be unmounted only when the last
session is closed.

For this purpose, ecryptfs keeps track of the mount count in
/dev/shm/ecryptfs-$USER-Private. Only when the count reaches 0
is the umount performed.

This worked with all versions of sudo until now. The changed
PAM configuration has the effect that at the start of a sudo
session the ecryptfs mount count is *not* incremented, while it
is decremented when the session ends. When the counter reaches
0, this causes the encrypted directory to be unmounted.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libc6                         2.13-16    Embedded GNU C Library: 
Shared lib
ii  libpam-modules                1.1.3-2    Pluggable Authentication 
Modules f
ii  libpam0g                      1.1.3-2    Pluggable Authentication 
Modules l

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: 
u'/etc/sudoers.d/README'

-- no debconf information

Message #10 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Michael Schuerig <michael@schuerig.de>, 639391@bugs.debian.org

Cc: vorlon@debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Fri, 26 Aug 2011 13:41:34 -0600

[Message part 1 (text/plain, inline)]

On Fri, 26 Aug 2011 20:25:31 +0200, Michael Schuerig <michael@schuerig.de> wrote:
> The changed
> PAM configuration has the effect that at the start of a sudo
> session the ecryptfs mount count is *not* incremented, while it
> is decremented when the session ends.

I'm not enough of a pam expert to know immediately how to resolve this.

Any suggestions?  Steve?

Bdale

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Bdale Garbee <bdale@gag.com>

Cc: Michael Schuerig <michael@schuerig.de>, 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Fri, 26 Aug 2011 12:57:50 -0700

[Message part 1 (text/plain, inline)]

On Fri, Aug 26, 2011 at 01:41:34PM -0600, Bdale Garbee wrote:
> On Fri, 26 Aug 2011 20:25:31 +0200, Michael Schuerig <michael@schuerig.de> wrote:
> > The changed
> > PAM configuration has the effect that at the start of a sudo
> > session the ecryptfs mount count is *not* incremented, while it
> > is decremented when the session ends.

> I'm not enough of a pam expert to know immediately how to resolve this.

> Any suggestions?  Steve?

What change to the PAM configuration is referred to here?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Bdale Garbee <bdale@gag.com>

Cc: Michael Schuerig <michael@schuerig.de>, 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Fri, 26 Aug 2011 13:13:07 -0700

[Message part 1 (text/plain, inline)]

On Fri, Aug 26, 2011 at 12:57:50PM -0700, Steve Langasek wrote:
> On Fri, Aug 26, 2011 at 01:41:34PM -0600, Bdale Garbee wrote:
> > On Fri, 26 Aug 2011 20:25:31 +0200, Michael Schuerig <michael@schuerig.de> wrote:
> > > The changed
> > > PAM configuration has the effect that at the start of a sudo
> > > session the ecryptfs mount count is *not* incremented, while it
> > > is decremented when the session ends.

> > I'm not enough of a pam expert to know immediately how to resolve this.

> > Any suggestions?  Steve?

> What change to the PAM configuration is referred to here?

Ah, I see, common-session is now included - that's good. :)

But if the calls to pam_open_session() and pam_close_session() are not
symmetric in sudo, that's bad.  It's actually quite surprising that this
should happen, as it's much more common for services to get the
open_session() right and miss the close_session().  In fact, this is exactly
what I see in the case of sudo with cached credentials: pam_open_session()
is called, pam_close_session() is not.  (That's also a bug - but not the one
causing the problem Michael sees.)

Looking closely, I see that pam_open_session() is called with
PAM_USER=<target user>, and pam_close_session() is called with
PAM_USER=<source user>.  That's definitely wrong, the value should be the
same for both calls.

The mismatch probably has to do with sudo's peculiarity of using
authentication credentials of the source user to authorize access to a
different target user, instead of using credentials for the target user.  I
think this needs to be looked at by sudo upstream.

(Debugged using 'session optional pam_warn.so' added to /etc/pam.d/sudo,
btw - logs useful information about what pam's thinking to
/var/log/auth.log.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: control@bugs.debian.org,639391@bugs.debian.org

Subject: forwarded

Date: Mon, 26 Sep 2011 22:07:41 -0600

[Message part 1 (text/plain, inline)]

forwarded 639391 http://www.sudo.ws/bugs/show_bug.cgi?id=513
thanks

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>

To: Michael Schuerig <michael@schuerig.de>, 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Tue, 27 Sep 2011 15:47:12 +0200

On Fri, Aug 26, 2011 at 08:25:31PM +0200, Michael Schuerig wrote:
> Package: sudo
> Version: 1.8.2-1
> Severity: important
> 
> 
> After upgrading sudo, I noticed that my ecryptfs encrypted home
> directory was unmounted after using sudo. Specifically, after
> a newly authenticated a sudo session was finished.

This seems fixed in sudo 1.8.2-2:

jak@jak-thinkpad:~$ sudo echo Hello world ; mount | grep Private | cut -f1 -d\(
Hello world
/home/jak/.Private on /home/jak/Private type ecryptfs 


-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Message #37 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Matt Behrens <matt@zigg.com>

To: Julian Andres Klode <jak@debian.org>, 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs

Date: Fri, 30 Sep 2011 22:04:24 -0400

It does not seem to be fixed for me.  I still get my $HOME unmounted
after executing sudo 1.8.2-2.

I would expect from the upstream bug that this will be fixed in 1.8.3?

Message #42 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Matt Behrens <matt@zigg.com>

To: Julian Andres Klode <jak@debian.org>, 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs

Date: Sat, 01 Oct 2011 07:58:41 -0400

On 09/30/2011 10:04 PM, Matt Behrens wrote:
> It does not seem to be fixed for me.  I still get my $HOME unmounted
> after executing sudo 1.8.2-2.
On further reflection (sorry, I sent that last update just before bed), 
it's worth nothing that Julian's test uses a Private directory, while I 
have my entire $HOME encrypted.

Message #47 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>

To: Matt Behrens <matt@zigg.com>

Cc: 639391@bugs.debian.org

Subject: Re: Bug#639391: sudo: Changes to session handling cause ecryptfs

Date: Sat, 1 Oct 2011 23:07:19 +0200

On Fri, Sep 30, 2011 at 10:04:24PM -0400, Matt Behrens wrote:
> It does not seem to be fixed for me.  I still get my $HOME unmounted
> after executing sudo 1.8.2-2.

Yep, sorry, also happens here again. The disappearance of the
problem seemed to be temporary, I don't know what caused it
and did not make any changes since then.

Message #52 received at 639391@bugs.debian.org (full text, mbox, reply):

From: Philip Pemberton <philpem@philpem.me.uk>

To: 639391@bugs.debian.org

Subject: Re: sudo: Changes to session handling cause ecryptfs $HOME to be unmounted

Date: Thu, 20 Oct 2011 19:29:29 +0100

For anyone who doesn't want to wait for the final release, this is the 
changeset you need:

http://www.sudo.ws/repos/sudo/rev/d0866ee5f190

Clone the repository with Mercurial. Export the above changeset 
(d0866ee5f190) as a patch.

Use apt-get source to grab the sources for sudo from the appropriate 
repo. Also run 'apt-get build-dep sudo' to get the build dependencies.

Apply the patch (from Hg) to the Debian sources.

"dch -i". Update the version number to identify it as a 
locally-generated version (I used 1.8.2-2philpem1).

"debuild -us -uc"

Install the resulting package with "dpkg -i sudo_{blah}.deb". Ignore 
sudo-ldap; you probably want normal sudo (you'll know if you need 
sudo-ldap).

Took me about 15 minutes but fixed the bug nicely on my laptop (which 
uses ecryptfs-encrypted home directories).

-- 
Phil.
philpem@philpem.me.uk
http://www.philpem.me.uk/

Message #57 received at 639391-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 639391-close@bugs.debian.org

Subject: Bug#639391: fixed in sudo 1.8.3-1

Date: Sun, 23 Oct 2011 06:47:44 +0000

Source: sudo
Source-Version: 1.8.3-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.8.3-1_i386.deb
  to main/s/sudo/sudo-ldap_1.8.3-1_i386.deb
sudo_1.8.3-1.debian.tar.gz
  to main/s/sudo/sudo_1.8.3-1.debian.tar.gz
sudo_1.8.3-1.dsc
  to main/s/sudo/sudo_1.8.3-1.dsc
sudo_1.8.3-1_i386.deb
  to main/s/sudo/sudo_1.8.3-1_i386.deb
sudo_1.8.3.orig.tar.gz
  to main/s/sudo/sudo_1.8.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 639391@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Oct 2011 23:49:16 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.8.3-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 639391 639568
Changes: 
 sudo (1.8.3-1) unstable; urgency=low
 .
   * new upstream version, closes: #639391, #639568
Checksums-Sha1: 
 e199c43e74cafb137d3b0eadf0871d4fe8b41713 1814 sudo_1.8.3-1.dsc
 59cd7204fc6dbc2ac6024eb2ec43d4d7747d52df 1536180 sudo_1.8.3.orig.tar.gz
 ca92a404acbc08b830f0ee0c60aed5b542dadfe5 21520 sudo_1.8.3-1.debian.tar.gz
 fcb08631c410737c6ef9484e6908dc0a414dfc66 667200 sudo_1.8.3-1_i386.deb
 f7edf7df1efa4de2599d86d39989b88cb02a50e1 696322 sudo-ldap_1.8.3-1_i386.deb
Checksums-Sha256: 
 43b9416f7943f29a6537cf76f993a95addededbbfba6ea7ffc211e94f90c1ef2 1814 sudo_1.8.3-1.dsc
 ff1fcc410c5465063ee4912912e29936ea39f017d9a8a57ec76b0ded71b7c3c4 1536180 sudo_1.8.3.orig.tar.gz
 7f587c2cf0767dc833eb6679d78fb54011075ab3e607d18702bdaf7a8f4c641d 21520 sudo_1.8.3-1.debian.tar.gz
 6f9a0a39f360a11cf417ad9d0041277b9d73460afd987cb461209da8d20a9ab0 667200 sudo_1.8.3-1_i386.deb
 f5c33257de74c7e75ee53533b01fe479fb3b783162f83f5973ca6e5e6bb95f06 696322 sudo-ldap_1.8.3-1_i386.deb
Files: 
 88f5b9160afb214064700f3ac878bc97 1814 admin optional sudo_1.8.3-1.dsc
 9e5517bbf3aee420b38c2d1d7a71bcad 1536180 admin optional sudo_1.8.3.orig.tar.gz
 13c55102648ad23ed3c32c6fc328c4d9 21520 admin optional sudo_1.8.3-1.debian.tar.gz
 55395e741a569de3dcf7dce9fe1b0c19 667200 admin optional sudo_1.8.3-1_i386.deb
 ab6c73a831ae761b6d120270702a838a 696322 admin optional sudo-ldap_1.8.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTqO0rTqTYZbAldlBAQoGag//doGwQi6DRSwm05Li0b+fgtD7OO/Jdio3
jVt9IWgIcRS+gxIUcHqgIYOfO+mdI1qMHodm8eX6O5anXeYK9zyt/MWzIZhPSkHg
6ks5HGSjE0wLmjtDEwFR0y1u8S6WfGvdu4X+94/nFO9NA9lGxdFlNtR8hw8LV4kV
uQoCn1bxoWfqfWBGZDIX9k4KZjy6z9lNQf2WWB7SGYphMw0zDo/zYFsRKW1/SQ6E
WePa78KILev/N03B01fLCTWpqus96kIwZes8T2wHBv0CaAVszohf6SQyxQ4CTt69
Dame/7bY78v2Eb4XA6bZYDR7DCKgE/p5+uQNkUt0KVcUUmSTvkuRMq28ZGSHGGeQ
hKo79o2c+zsTCg/abgl+8ePG6zPrdE9k638tSCZtAqlQsUXhPCX7QYTxYxtvIu5I
Lp7Oces09aB8R7DoXfZcqXYsTvxSrshORSrxpaZ01gAyqT9/QWEe/9Ss+dcYw6Fe
ogB9PmR7HbadF5Go4P+r7SNBS9FF4EPTOlFMqSXppBBg8tUSD5PjP4Djdys0KIuz
LegF0+u8JI1WzUsCW9jeD2YZ4KB/9LPZYuGAgcDmhOHjOmgaC9haByz19HWMYESQ
5wEz4N9BwFug0eXU5j8E0iuQvknEf5V+IoXXLTPZSXnhe1bCZE6eHar9PQgeSscz
M0kUIVuTZFg=
=RZBC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.