pam_mount: do not re-prompt for password

[peterhoeg]

Motivation for this change

nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: #44586

Reference: https://unix.stackexchange.com/a/273894

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Fits CONTRIBUTING.md.

---

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: pam_mount

Partial log (click to expand)

  /nix/store/4v5nkv8hkilimfxvmwkfl0mlry3qqzk9-popt-1.16
  /nix/store/cnf1jgv1x1d7wry1iihq3hfpmkw7m6kd-cryptsetup-2.0.4
  /nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16
  /nix/store/y2j8pmv853n1a67bll402gnrg9j6hbby-json-c-0.13.1
copying path '/nix/store/y2j8pmv853n1a67bll402gnrg9j6hbby-json-c-0.13.1' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/27lqfbkwss1z2wqqvfv1nqbfypcarsr5-libHX-3.22' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/4v5nkv8hkilimfxvmwkfl0mlry3qqzk9-popt-1.16' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/cnf1jgv1x1d7wry1iihq3hfpmkw7m6kd-cryptsetup-2.0.4' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16' from 'https://nix-cache.s3.amazonaws.com'...
/nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16

[GrahamcOfBorg]

Success on aarch64-linux (full log)

Attempted: pam_mount

Partial log (click to expand)

shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/pmt-ehd
shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/pmvarrun
shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/mount.crypt
gzipping man pages under /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/lib  /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin
patching script interpreter paths in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16
checking for references to /build in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16...
moving /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/* to /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/bin
/nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16

[peterhoeg]

Cc @samueldr

[samueldr]

Any difference in behaviour between switch and test, and if so, why would there be?

Additionally, most mounting-related tasks are applied live with test and switch, (which is a bit annoying when failing and systemd kicks you to the rescue mode!) Do I misunderstand that this would break the assumption of mounting un-mounted devices during switch and test?

[peterhoeg]

Any difference in behaviour between switch and test, and if so, why would there be?

No difference

Do I misunderstand that this would break the assumption of mounting un-mounted devices during switch and test?

With disable_interactive, we are dependent on the login manager passing down the password to pam_mount. So if you add an encrypted device which wasn't there at the time of session start and do nixos-rebuild, it would not be available.

The problem without the option is the repeated prompts which happen all the time.

[peterhoeg]

@samueldr any thoughts on how we can move this forward?

[peterhoeg]

@samueldr - do you still have any concerns?

[stale]

I marked this as stale due to inactivity. → More info

[stale]

I marked this as stale due to inactivity. → More info

[peterhoeg]

@samueldr , the only case that "breaks" (and the reason for quotes is the fact that it really isn't) with this change is the following:

1. a generation is created without any encrypted homes for user xxx
2. user xxx logs in and adds encrypted home config to configuration.nix
3. user xxx runs nixos-rebuild switch (or test)
4. encrypted home for xxx is not decrypted and mounted

But, having your $HOME get remounted underneath you seems like a really bad idea anyway.

So while there is a change in how things work for one very special case, in general this makes things much nicer when using encrypted homes.

Any strong objections? If not, let's get this shipped.

[samueldr]

Sorry, never had strong objections, only concerns since I didn't "get" everything, as I'm not using pam_mount

Do not block on these.

Anyway:

• You're daily driving it
• You understand the underlying use cases
• No one else seems to have had any concerns

Feel free to take ownership I guess!