Bug#765854: ecryptfs-utils: Private directory not automatically unmounted anymore on logout
Julian Andres Klode
jak at debian.org
Fri Jan 6 14:06:31 GMT 2017
Second ping, more than 2 years later.
Seriously, that's more than 2 years old now, with a simple workaround, and
security implications (private data remaining accessible after logout).
On Sat, Oct 18, 2014 at 09:13:05PM +0200, Julian Andres Klode wrote:
> (adding pkg-systemd-maintainers at lists.alioth.debian.org to CC)
>
> On Sat, Oct 18, 2014 at 08:31:38PM +0200, Julian Andres Klode wrote:
> > Package: ecryptfs-utils
> > Version: 103-3+b1
> > Severity: important
> > Tags: security
> >
> > Previously, a Private directory was automatically unmounted on logout. This
> > does not happen anymore. One problem could be that the systemd user instance
> > is not bound to logins and will most likely only exit after the last login,
> > leaving a process running as that user, and thus causing ecryptfs-utils to
> > think the user is still active.
> >
> > This is a regression from wheezy as far as I am aware.
> >
>
> So the reason appears to be that systemd keeps another PAM session around for
> running its (sd-pam) and systemd --user processes, causing ecryptfs-umount-private
> to think one session is still remaining. This means we have to run
> ecryptfs-umount-private before exiting the systemd --user session.
>
> The following user unit does this (called it ecryptfs-umount-private.service),
> but I'm not sure if that's the best solution, if something in there is broken,
> or how to correctly install that globally.
>
> -- ecryptfs-umount-private.service:
>
> [Unit]
> Description=Umount Private directory
> Before=systemd-exit.service
> DefaultDependencies=no
> Requires=shutdown.target
> After=shutdown.target
>
> [Service]
> Type=oneshot
> ExecStart=/usr/bin/ecryptfs-umount-private
>
> [Install]
> WantedBy=exit.target
>
> --
> Julian Andres Klode - Debian Developer, Ubuntu Member
>
> See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
>
> Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
> - If you don't I might ignore you.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
| Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
More information about the Pkg-systemd-maintainers
mailing list