PAM: Warn about issue with systemd-user service #13025
Conversation
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
ColMelvin
force-pushed
the
feature.pam-warn-about-systemd-user
branch
from
e75e20e
to
e5a3803
Compare
contrib/pam_zfs_key/pam_zfs_key.c
Outdated
| * session optional pam_zfs_key.so | ||
| */ | ||
| pam_syslog(pamh, LOG_WARNING, | ||
| "Service '%s' is known to have problems with sessions", |
There was a problem hiding this comment.
I kept this message generic in case other services are found that violate our expectation of 1 session open and 1 session close (perhaps in a different way than systemd-user). However, system administrators might benefit from a more detailed warning.
I'm open to suggestions
There was a problem hiding this comment.
I think the message should point at either a ZFS issue or a systemd issue where the status can be checked for it being fixed.
There was a problem hiding this comment.
Some ideas:
Expect issues; see https://github.com/systemd/systemd/issues/8598Session will never close; see https://github.com/systemd/systemd/issues/8598Key will not be unloaded because of https://github.com/systemd/systemd/issues/8598
There was a problem hiding this comment.
Maybe a date? "As of 2022-01-28" + one of your suggested wordings.
I like the "Key will not be unloaded"
There was a problem hiding this comment.
With a date in the message, we'll likely want to keep the value up-to-date with - at least - yearly commits. Given the original bug is over 3 years old, and the complexity required for its correct resolution, I expect this would require a long term commitment to update the date.
Let's soften it with "key may not be unloaded", which leaves open the possibility that the issue gets fixed and makes removing the warning message less urgent if a fix for systemd/systemd#8598 does materialize.
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
ColMelvin
force-pushed
the
feature.pam-warn-about-systemd-user
branch
from
e5a3803
to
6f225f7
Compare
The systemd-user service currently opens PAM sessions but fails to close them, which prevents the pam_zfs_key module from working as intended. Add a warning message when this situation is detected to help system administrators diagnose the problem with their PAM configuration more quickly. Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> Closes: openzfs#13025
ColMelvin
force-pushed
the
feature.pam-warn-about-systemd-user
branch
from
6f225f7
to
cc3014e
Compare
|
@gdevenyi What are the next steps for getting this approved? |
| @@ -749,6 +778,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, | |||
| "Cannot zfs_mount when not being root."); | |||
| return (PAM_SUCCESS); | |||
| } | |||
| (void) session_roundtrip_check(pamh); | |||
There was a problem hiding this comment.
What's the point of returning a tristate if the only user just void-casts it? The documentation says warn, and it just warns, so why not just warn?
static void
session_roundtrip_warn(pam_handle_t *pamh)
{
const char *service;
if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
!= PAM_SUCCESS)
pam_syslog(pamh, LOG_NOTICE, "Unable to identify PAM service");
else if (strcmp("systemd-user", service) == 0)
pam_syslog(pamh, LOG_WARNING,
"Key may not be unloaded because of "
"https://github.com/systemd/systemd/issues/8598");
}There was a problem hiding this comment.
I hoped to build on this change and add functionality based around the return value. However, I think those changes could generate a more vibrant discussion. Since this function provides value even in isolation, I decided to submit it separately.
Regardless, it doesn't seem to matter; both forms compile to the same binary on my system.
I'm just a random drive-by commenter who made a suggestion, I have no power here :) |
Well, thank you for the dialog! I appreciated the feedback. |
Motivation and Context
The systemd-user service currently opens PAM sessions but fails to close them (systemd/systemd#8598), which prevents the pam_zfs_key module from working as intended. If a system administrator were to miss this defect in their configuration, their users would not gain the full benefit of the pam_zfs_key module, as their encrypted datasets would not be locked until reboot.
Description
Add a warning message when the
systemd-userservice is detected to help system administrators notice and diagnose the problem with their PAM configuration more quickly.How Has This Been Tested?
Test Environment: Fedora 34 Server on VM
Steps:
0. Disabled SELinux
/etc/pam.d/system-auth(included bysystemd-user) to use pam_zfs_key. For the session section, usedjournalctl -b0/etc/pam.d/system-authwithjournalctl -b0Types of changes
Checklist:
Signed-off-by.