Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam_env doens't load user's .pam_environment when home folder is encrypted with ecryptfs #63285

Open
doronbehar opened this issue Jun 17, 2019 · 1 comment
Open

pam_env doens't load user's .pam_environment when home folder is encrypted with ecryptfs #63285

doronbehar opened this issue Jun 17, 2019 · 1 comment
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md

Comments

@doronbehar
Copy link
Contributor

Issue description

If I login while my home folder is encrypted with ecryptfs, apparently when pam_env.so tries to load my ~/.pam_environment, it fails because it's not available yet. If I run for example su -l on a shell after I login, my environmental variables from there are loaded.

Steps to reproduce

Use the following setting in /etc/nixos/configuration.nix:

security.pam.enableEcryptfs = true;
  1. Encrypt your home folder using ecryptfs-migrate-home.
  2. Put environmental variables in the encrypted home folder's ~/.pam_environment.

Other information

This bug seems somewhat common and it is also covered in some stack-exchange threads (1, 2) yet I don't think it's unavoidable. Back when I used Arch Linux, I didn't experience this and perhaps because I've strictly followed the Arch Linux Wiki as for setting up ecryptfs automount using PAM. Luckily, I've backups of my /etc/ configurations from Arch Linux and the main difference I can see between NixOS' /etc/pam.d/ and Arch Linux', is that there is no auth required pam_env.so in NixOS' /etc/pam.d/ and there are only session required pam_env.so. I'm pretty sure this is the source of this issue but I think this should be consulted with the author of services.pam.*.

I'll sum it up to this question:

Why do we use session required pam_env.so and not auth required pam_env.so?

Technical details

  • system: "x86_64-linux"
  • host os: Linux 5.1.10, NixOS, 19.09pre182971.a1dd419c1ff (Loris)
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.2.2
  • channels(root): "nixos-19.09pre182971.a1dd419c1ff"
  • channels(doron): "nixos-unstable-19.09pre182743.7815c86c104"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos
@stale
Copy link

stale bot commented Jun 2, 2020

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@doronbehar