Hi all,
I would like to report a major problem affecting people using home folder encryption (ecryptfs) and miscellaneous FUSE mounts. When session suspended, user's folders got unmounted. As result applications and services left in undefined state and that might lead to severe results. In addition to banal crashes, dropbox and friends might decide that data was deleted locally and sync that to cloud!
I guess above related to the fact all pam sessions are closed during suspend. Any ideas how to fix that?
P.S. Previously NoMachine's server was available as a fallback. But due to recent changes to libCairo (http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=16), it's currently broken. And I am not sure when and if at all, it's going to be fixed. So currently there is no solution.
Thanks
Previously NoMachine's server was available as a fallback. On one of my servers i've downgraded libcairo and marked it as "hold". I also had to downgrade some applications (evince, transmission and poppler-utils) but there are really few of such apps to carry about it.
Hi,
On Mon, 29 Oct 2012 08:39:26 +0200 Eugene San <eugenesan@gmail.com> wrote:
I would like to report a major problem affecting people using home folder encryption (ecryptfs) and miscellaneous FUSE mounts. When session suspended, user's folders got unmounted. As result applications and services left in undefined state and that might lead to severe results. In addition to banal crashes, dropbox and friends might decide that data was deleted locally and sync that to cloud!
I guess above related to the fact all pam sessions are closed during suspend. Any ideas how to fix that?
I don't know how your system is configured, but here pam only unmounts the encrypted homedir when no more apps are accessing the directory. (I once had to track down gnome-keyring preventing the unmount.)
Have fun,
Arnold
I am afraid your assumption is incorrect, even with open files pam unmounts home directory. Looks like only ssh sessions keep home mounted. Once session is suspended and all ssh connections closed, home folder is gone.
Any suggestions how to solve the problem?
On Tue, Oct 30, 2012 at 11:55 PM, Arnold Krille <arnold@arnoldarts.de>wrote:
Hi,
On Mon, 29 Oct 2012 08:39:26 +0200 Eugene San <eugenesan@gmail.com> wrote:
I would like to report a major problem affecting people using home folder encryption (ecryptfs) and miscellaneous FUSE mounts. When session suspended, user's folders got unmounted. As result applications and services left in undefined state and that might lead to severe results. In addition to banal crashes, dropbox and friends might decide that data was deleted locally and sync that to cloud!
I guess above related to the fact all pam sessions are closed during suspend. Any ideas how to fix that?
I don't know how your system is configured, but here pam only unmounts the encrypted homedir when no more apps are accessing the directory. (I once had to track down gnome-keyring preventing the unmount.)
Have fun,
Arnold
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Hi!
On Sa 03 Nov 2012 10:58:05 CET Eugene San wrote:
I am afraid your assumption is incorrect, even with open files pam unmounts home directory. Looks like only ssh sessions keep home mounted. Once session is suspended and all ssh connections closed, home folder is gone.
Any suggestions how to solve the problem?
Does taking the information into consideration found here help you
any further?
https://bbs.archlinux.org/viewtopic.php?id=98227
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi,
Referred thread discuss generic usage if encryption. But my issue is specific to x2go. Encryption mounting works perfectly via physical, ssh and even nomachine sessions but fails during suspended x2go sessions.
My guess is that nomachine's nxssh (which stays alive during suspended sessions) is making encryption working during suspended sessions.
The question is how to provide adequate alternative in x2go sessions. On Nov 3, 2012 3:17 PM, "Mike Gabriel" <mike.gabriel@das-netzwerkteam.de> wrote:
Hi!
On Sa 03 Nov 2012 10:58:05 CET Eugene San wrote:
I am afraid your assumption is incorrect, even with open files pam
unmounts home directory. Looks like only ssh sessions keep home mounted. Once session is suspended and all ssh connections closed, home folder is gone.
Any suggestions how to solve the problem?
Does taking the information into consideration found here help you any further? https://bbs.archlinux.org/**viewtopic.php?id=98227<https://bbs.archlinux.org/viewtopic.php?id=98227>
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.**de<mike.gabriel@das-netzwerkteam.de>, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-** netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
On Mon, Oct 29, 2012 at 7:39 AM, Eugene San <eugenesan@gmail.com> wrote:
I guess above related to the fact all pam sessions are closed during
suspend. Any ideas how to fix that?
Does creating a file ~/.ecryptfs/auto-umount help?
Note that this disables auto umounting your crypted directory completely. However, if this helps, then I think pam_ecryptfs.so should be extended to check for active x2go sessions before auto-umounting crypted sessions.
-- regards, Reinhard
Thanks for response.
Solution you propose might actually work, but definitely will create security problem.
To make it work we need x2go sessions to behave as normal ones, at least from PAM perspective.
I wonder which part of physical session does the PAM magic and why doesn't work for x2go session...
On Sat, Nov 3, 2012 at 4:59 PM, Reinhard Tartler <siretart@gmail.com> wrote:
On Mon, Oct 29, 2012 at 7:39 AM, Eugene San <eugenesan@gmail.com> wrote:
I guess above related to the fact all pam sessions are closed during
suspend. Any ideas how to fix that?
Does creating a file ~/.ecryptfs/auto-umount help?
Note that this disables auto umounting your crypted directory completely. However, if this helps, then I think pam_ecryptfs.so should be extended to check for active x2go sessions before auto-umounting crypted sessions.
-- regards, Reinhard
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Hi Eugene,
On Sa 03 Nov 2012 19:47:26 CET Eugene San wrote:
Thanks for response.
Solution you propose might actually work, but definitely will create security problem.
To make it work we need x2go sessions to behave as normal ones, at least from PAM perspective.
I wonder which part of physical session does the PAM magic and why doesn't work for x2go session...
I plan to write a PAM module for X2Go anyway (customer contract). I
might include PAM session support into that.
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
PAM module with x2go session support would be wonderful.
On Sat, Nov 3, 2012 at 10:31 PM, Mike Gabriel < mike.gabriel@das-netzwerkteam.de> wrote:
Hi Eugene,
On Sa 03 Nov 2012 19:47:26 CET Eugene San wrote:
Thanks for response.
Solution you propose might actually work, but definitely will create security problem.
To make it work we need x2go sessions to behave as normal ones, at least from PAM perspective.
I wonder which part of physical session does the PAM magic and why doesn't work for x2go session...
I plan to write a PAM module for X2Go anyway (customer contract). I might include PAM session support into that.
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.**de<mike.gabriel@das-netzwerkteam.de>, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-** netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
On Sun, Nov 4, 2012 at 5:57 AM, Eugene San <eugenesan@gmail.com> wrote:
PAM module with x2go session support would be wonderful.
TBH, after reading the pam_ecryptfs and the ecryptfs.private_mount sources, I do not think that such a module would help here. But maybe I may also have misunderstood how you intend to integrate the pam module into x2go.
-- regards, Reinhard
-
Arnold Krille -
Eugene San -
Mike Gabriel -
Nable 80 -
Reinhard Tartler