pam_zfs_key does not lock dataset upon user session closing #12430
Description
System information
| Type | Version/Name |
|---|---|
| Distribution Name | NixOS |
| Distribution Version | 21.11 |
| Kernel Version | 5.10.52 |
| Architecture | x86_64 |
| OpenZFS Version | 2.1.0 |
Describe the problem you're observing
Having configured PAM to use pam_zfs_key to automatically mount and unmount the home directory for my user, I can observe that the directory is mounted. Due to shortcomings with systemd ( systemd/systemd#8598 ) we are required to avoid tracking the systemd-user session with the following config:
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional pam_zfs_key.so homes=rpool/safe/home
This use of pam_succeed_if is required as systemd-user drops privileges and so cannot mount/unmount, without this we fail to mount as we are non-root. This however reveals a different issue - unmounting the dataset fails with:
Jul 25 18:58:58 nixtop lightdm[21199]: pam_zfs_key(lightdm:session): zfs_unmount failed with: -1
I believe this is because we are attempting to unmount before the systemd user session has terminated - due to the above config. The current behaviour means that the volume is left mounted, and the key is not unloaded.
pam_zfs_key doesn't expose any way to force unmount here, but also as mentioned in the systemd issue - that isn't a perfect solution as it would result in the home mount being yanked from anything run with systemd-run. This would at least avoid the volume being left unlocked after all the other sessions have terminated.
There is an issue for fscrypt ( google/fscrypt#95 ) related to this issue - their intended approach seems to be to have a service running in the background, which can be responsible for mounting and unmounting their volumes. This would mean that the dropped privileges in systemd-user would no longer be problematic, however it is a significantly more complex solution.
Describe how to reproduce the problem
This should be relatively easy to reproduce on any Linux distro with systemd. Ensure that the pam_systemd.so module is enabled, and then add the session config as given above - in my case it is prior to the systemd module. This should result in successful mount, but not being able to unmount the home directory.