Systemd user manager, ecryptfs and opensuse 13.1
I have briefly mentioned this in an earlier post.
When I look around, while running 13.1, I notice that there are some systemd user manager processes:
% ps -ef | grep '[/]systemd' root 377 1 0 10:29 ? 00:00:00 /usr/lib/systemd/systemd-journald root 418 1 0 10:29 ? 00:00:00 /usr/lib/systemd/systemd-udevd root 749 1 0 10:29 ? 00:00:00 /usr/lib/systemd/systemd-logind lightdm 3258 1 0 10:29 ? 00:00:00 /usr/lib/systemd/systemd --user root 3421 1 0 10:30 ? 00:00:00 /usr/lib/systemd/systemd --user rickert 3443 1 0 10:30 ? 00:00:00 /usr/lib/systemd/systemd --user
The last three of those are user manager processes, as shown by the “–user” flag to the process. There is also an additional process that seems to be PAM related:
% ps -ef | grep '[p]am' lightdm 3259 3258 0 10:29 ? 00:00:00 (sd-pam) croot 3423 3421 0 10:30 ? 00:00:00 (sd-pam) rickert 3447 3443 0 10:30 ? 00:00:00 (sd-pam)
This is new for 13.1. The man pages for “systemd” and “systemctl” do somewhat document the user manager, though their full role is still unclear to me.
What I immediately noticed, was the effect on “ecryptfs”. After setting up the pam configuration for “ecryptfs” with the command:
# pam-config -a --ecryptfs
everything seems to work at first. My ecryptfs private directory is properly mounted at login. But, what I later noticed, is that the ecryptfs private directory is not being unmounted when I log out. I consider this a possible security risk, since it makes the files visible unencrypted even after logout.
I have been experimenting with various ways to deal with this problem.
User manager and pam
The systemd user manager processes seem to be started via PAM. If I remove the systemd entry from the pam configuration, with:
# pam-config -d --systemd
then the problem goes away. No user manager processes are started, and ecryptfs works properly. Unfortunately, this breaks other functionality, so I had to put the systemd pam configuration back the way it was.
In particular, with systemd removed from the pam configuration, I have noticed the following problems:
- I cannot reboot or shutdown if I am using “lightdm”, though these work properly with “kdm”
- Apper complains about authentication failure;
- NetworkManager does not work properly.
It looks as if the systemd user manager is now involved is some of the authorization actions. These were previously handled by “polkit” and “console-kit”, but apparently systemd is now also involved.
I have done some testing to find ways of dealing with the problem.
My first experiment was to add the command:
systemctl --user exit
to a KDE shutdown script. This terminates the systemd user manager process and the associated pam process. But the ecryptfs private directory is still left mounted after logout.
A comment to my earlier post suggests using a crontab to unmount the private directory, and do this every few minutes. The umount command will be ignored if the directory is in use, but will work after logout. That should work, though I hope a better solution can be found.
At present, what I am doing is logging into the computer remotely (using ssh and public key authentication). Then I do:
% cd / % ecryptfs-umount-private Sessions still open, not unmounting % ecryptfs-umount-private
The “cd” is to make sure that the private directory is not in use. The first attempt to use “ecryptfs-umount-private” fails, but the second attempt succeeds.
The interesting thing is that, after this step, ecryptfs starts working properly, at least until the next boot. I only have to do that remote login trick once per boot.
My best guess is that the systemd user manager is starting an additional pam session, and this is causing the ecryptfs accounting for active sessions to be off by one.
I have reported this problem to “bugs.freedesktop.org”, where it is Bug 72759.