Problems with pam_group + pam_mount

Italo Valcy italo at dcc.ufba.br
Tue Dec 28 20:46:26 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello guys,

I'm having problems with the use of pam_group and pam_mount, and I think
the problem is with the order in which PAM API (pam_authenticate,
pam_open_session, pam_setcred, etc) is used by the applications. I'll
try to describe my scenario bellow. Please, any help is welcome.

Here we use LDAP authentication through libpam-ldapd + nslcd and it's
working perfectly. We also would automatic mount the user's HOME from a
remote fileserver, using sshfs (which uses fuse). We does not export the
groups tree from LDAP. So, the solution we used was the combination of
pam_group + pam_mount. In order to load the groups, we configure
/etc/security/group.conf in following way:

- -------8<---------
*;*;*;Al0000-2400;video,audio,fuse
- ------------------

In order to mount a volume through sshfs, its essential that the user
belongs to group 'fuse', because he needs to access /dev/fuse (which is
granted to the members of that group).

Then, we configure the service login in PAM like the following:

- -------8<----------
# /etc/pam.d/login
...
auth optional pam_group
auth optional pam_mount
session optional pam_mount
...
- -------------------

When I call login program, I have an error of 'permission denied in
access to /dev/fuse' and the volume is not mounted. However, when the
login process finish, my user is in the fuse group.

After some debug I could see that:
 - pam_group work at the pam_setcred stage. By 'work' I mean: set the
group membership for the user based on the content of
/etc/security/group.conf.
 - pam_mount do the mount at the pam_open_session stage. In that step,
the user already need access to /dev/fuse, which should be granted by
pam_group.

The problem is that some application like 'login' [1] calls
pam_open_session before pam_setcred and, in this way, pam_mount starts
to work before pam_group have set the groups.

1 - http://pkg-shadow.alioth.debian.org/

Even RFC86.0, in section "SAMPLE PAM APPLICATION", shows the use of
pam_open_session before initgroups() and before pam_setcred. But, what
about applications that depends on group membership settings to work in
open_session stage?


Any help or tip is very welcome!

Thanks and sorry for the long e-mail! :)


Kind Regards, Italo.


- -- 
Saudações,

Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0aTJ0ACgkQfidLqjN6RNH/xQCfaxi+Up5vVcDNB8AVReu9bnxm
3CcAnA1gE5u/+Crq0xWZjx6UOhJuEXu+
=2UL0
-----END PGP SIGNATURE-----




More information about the Pam-list mailing list