-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAM: Warn about issue with systemd-user service #13025
base: master
Are you sure you want to change the base?
PAM: Warn about issue with systemd-user service #13025
Conversation
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
e75e20e
to
e5a3803
Compare
contrib/pam_zfs_key/pam_zfs_key.c
Outdated
* session optional pam_zfs_key.so | ||
*/ | ||
pam_syslog(pamh, LOG_WARNING, | ||
"Service '%s' is known to have problems with sessions", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kept this message generic in case other services are found that violate our expectation of 1 session open and 1 session close (perhaps in a different way than systemd-user
). However, system administrators might benefit from a more detailed warning.
I'm open to suggestions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the message should point at either a ZFS issue or a systemd issue where the status can be checked for it being fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some ideas:
Expect issues; see https://github.com/systemd/systemd/issues/8598
Session will never close; see https://github.com/systemd/systemd/issues/8598
Key will not be unloaded because of https://github.com/systemd/systemd/issues/8598
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a date? "As of 2022-01-28" + one of your suggested wordings.
I like the "Key will not be unloaded"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With a date in the message, we'll likely want to keep the value up-to-date with - at least - yearly commits. Given the original bug is over 3 years old, and the complexity required for its correct resolution, I expect this would require a long term commitment to update the date.
Let's soften it with "key may not be unloaded", which leaves open the possibility that the issue gets fixed and makes removing the warning message less urgent if a fix for systemd/systemd#8598 does materialize.
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
e5a3803
to
6f225f7
Compare
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
6f225f7
to
cc3014e
Compare
@gdevenyi What are the next steps for getting this approved? |
@@ -749,6 +778,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, | |||
"Cannot zfs_mount when not being root."); | |||
return (PAM_SUCCESS); | |||
} | |||
(void) session_roundtrip_check(pamh); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the point of returning a tristate if the only user just void-casts it? The documentation says warn, and it just warns, so why not just warn?
static void
session_roundtrip_warn(pam_handle_t *pamh)
{
const char *service;
if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
!= PAM_SUCCESS)
pam_syslog(pamh, LOG_NOTICE, "Unable to identify PAM service");
else if (strcmp("systemd-user", service) == 0)
pam_syslog(pamh, LOG_WARNING,
"Key may not be unloaded because of "
"https://github.com/systemd/systemd/issues/8598");
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hoped to build on this change and add functionality based around the return value. However, I think those changes could generate a more vibrant discussion. Since this function provides value even in isolation, I decided to submit it separately.
Regardless, it doesn't seem to matter; both forms compile to the same binary on my system.
I'm just a random drive-by commenter who made a suggestion, I have no power here :) |
Well, thank you for the dialog! I appreciated the feedback. |
Motivation and Context
The systemd-user service currently opens PAM sessions but fails to close them (systemd/systemd#8598), which prevents the pam_zfs_key module from working as intended. If a system administrator were to miss this defect in their configuration, their users would not gain the full benefit of the pam_zfs_key module, as their encrypted datasets would not be locked until reboot.
Description
Add a warning message when the
systemd-user
service is detected to help system administrators notice and diagnose the problem with their PAM configuration more quickly.How Has This Been Tested?
Test Environment: Fedora 34 Server on VM
Steps:
0. Disabled SELinux
/etc/pam.d/system-auth
(included bysystemd-user
) to use pam_zfs_key. For the session section, usedjournalctl -b0
/etc/pam.d/system-auth
withjournalctl -b0
Types of changes
Checklist:
Signed-off-by
.