Systemd user manager, ecryptfs and opensuse 13.1

I have briefly mentioned this in an earlier post.

When I look around, while running 13.1, I notice that there are some systemd user manager processes:

% ps -ef | grep '[/]systemd'
root       377     1  0 10:29 ?        00:00:00 /usr/lib/systemd/systemd-journald
root       418     1  0 10:29 ?        00:00:00 /usr/lib/systemd/systemd-udevd
root       749     1  0 10:29 ?        00:00:00 /usr/lib/systemd/systemd-logind
lightdm   3258     1  0 10:29 ?        00:00:00 /usr/lib/systemd/systemd --user
root      3421     1  0 10:30 ?        00:00:00 /usr/lib/systemd/systemd --user
rickert   3443     1  0 10:30 ?        00:00:00 /usr/lib/systemd/systemd --user

The last three of those are user manager processes, as shown by the “–user” flag to the process.  There is also an additional process that seems to be PAM related:

% ps -ef | grep '[p]am'
lightdm   3259  3258  0 10:29 ?        00:00:00 (sd-pam)           
croot     3423  3421  0 10:30 ?        00:00:00 (sd-pam)           
rickert   3447  3443  0 10:30 ?        00:00:00 (sd-pam)

This is new for 13.1.  The man pages for “systemd” and “systemctl” do somewhat document the user manager, though their full role is still unclear to me.

Ecryptfs

What I immediately noticed, was the effect on “ecryptfs”.  After setting up the pam configuration for “ecryptfs” with the command:

# pam-config -a --ecryptfs

everything seems to work at first.  My ecryptfs private directory is properly mounted at login.  But, what I later noticed, is that the ecryptfs private directory is not being unmounted when I log out.  I consider this a possible security risk, since it makes the files visible unencrypted even after logout.

I have been experimenting with various ways to deal with this problem.

User manager and pam

The systemd user manager processes seem to be started via PAM.  If I remove the systemd entry from the pam configuration, with:

# pam-config -d --systemd

then the problem goes away.  No user manager processes are started, and ecryptfs works properly.  Unfortunately, this breaks other functionality, so I had to put the systemd pam configuration back the way it was.

In particular, with systemd removed from the pam configuration, I have noticed the following problems:

  • I cannot reboot or shutdown if I am using “lightdm”, though these work properly with “kdm”
  • Apper complains about authentication failure;
  • NetworkManager does not work properly.

It looks as if the systemd user manager is now involved is some of the authorization actions.  These were previously handled by “polkit” and “console-kit”, but apparently systemd is now also involved.

My testing

I have done some testing to find ways of dealing with the problem.

My first experiment was to add the command:

systemctl --user exit

to a KDE shutdown script.  This terminates the systemd user manager process and the associated pam process.  But the ecryptfs private directory is still left mounted after logout.

A comment to my earlier post suggests using a crontab to unmount the private directory, and do this every few minutes.  The umount command will be ignored if the directory is in use, but will work after logout.  That should work, though I hope a better solution can be found.

At present, what I am doing is logging into the computer remotely (using ssh and public key authentication).  Then I do:

% cd /
% ecryptfs-umount-private
Sessions still open, not unmounting
% ecryptfs-umount-private

The “cd” is to make sure that the private directory is not in use.  The first attempt to use “ecryptfs-umount-private” fails, but the second attempt succeeds.

The interesting thing is that, after this step, ecryptfs starts working properly, at least until the next boot.  I only have to do that remote login trick once per boot.

My best guess is that the systemd user manager is starting an additional pam session, and this is causing the ecryptfs accounting for active sessions to be off by one.

Bug report

I have reported this problem to “bugs.freedesktop.org”, where it is Bug 72759.

Advertisements

Tags: , ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

2 responses to “Systemd user manager, ecryptfs and opensuse 13.1”

  1. Wolfram says :

    Thank you very much for your writings about ecryptfs on OpenSUSE. Btw, I can confirm the “logout bug” in 13.1.

    Like

    • Neil Rickert says :

      Thanks.

      What I am current doing, is this:

      After logout, I use CTRL-ALT-F1 to get to a virtual console. I login there. Then:

      cd /
      ecryptfs-umount-private
      ecryptfs-umount-private
      

      The repeat is because the first command tells me that the mount is in use by another session.

      After that, I use CTRL-ALT-F7 to get back to the GUI login screen.

      I only have to do this once per reboot. I guess that would be once per user per reboot.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: