PAM configuration shipped for su does not work with systemd-homed
Task Info (Flyspray) | |
---|---|
Opened By | Zhao4 She4 (zhs) |
Task ID | 75509 |
Type | Bug Report |
Project | Arch Linux |
Category | Packages: Core |
Version | None |
OS | All |
Opened | 2022-08-04 12:11:28 UTC |
Status | Assigned |
Assignee | Christian Hesse (eworm) |
Details
Description:
When a user account is created and managed by systemd-homed one cannot correctly su to that user when logged in as another user. This happens because the pam.d files shipped with util-linux have not been updated to include Arch's homed-aware system-auth stack.
Additional info:
- 2.38-1 (no changes to /etc/pam.d/su or /etc/pam.d/su-l in 2.38.1-1)
Steps to reproduce:
Create systemd-homed-managed accounts user1 and user2.
While logged in as user1 via system local login which correctly includes system-auth and works as expected with homed, attempt:
su - user2
The first stage of login goes well but since pam_systemd_home.so is not used in default /etc/pam.d/su and/or /etc/pam.d/su-l, and /etc/pam.d/system-auth is not included in them either, systemd-homed is not notified and the user directory is not mounted to /home/user2 resulting in user2's shell giving permission error messages.
Now, attempt:
cd
or
ls
Both result in permission errors because with systemd-homed /home/user2 is empty, and normally owned and readable only by root, until /home/user2.homedir (or equivalent luks-encrypted file) is mounted over it.
Adding:
auth include system-auth
to /etc/pam.d/su-l fixes the problem.
A workaround is to first do:
homectl activate user2
and then su to user2. However, this results in homed not being aware of the following authentication and attempting to deactivate and unmount /home/user2 repeatedly. It will report the user home in homectl list output as lingering. As soon as the shell authenticated as user2 is closed, deactivation succeeds but this is only a lucky side-effect of homed not giving up on unmounting.