pam_encfs auto-dismount of filesystem when user still has a login. (multiple logins)

[GoogleCodeExporter]

Hi,

I have noticed that if there are multiple logins by the same user and one of 
these sessions is terminated (and pam_encfs is setup in PAM against session, 
such that is dismounts the filesystem on logout) that pam_encfs dismounts the 
filesystem, even though the user still has a session and may be using the 
filesystem.

Is there a way to setup the configuration such that the dismount occurs only 
when the last session of that user exists?

Original issue reported on code.google.com by mensrifl...@googlemail.com on 12 Feb 2012 at 5:59

[GoogleCodeExporter]

The app very simply does a umount, which shouldn't work if you have anything 
open in the directory (like for example .bash_history, although different 
versions of bash might handle that differently).

Disabling unmounting (the session part) would partially solve this, but leave 
the directory mounted. You could create a little script that does something 
like this:
tail .bashrc &>/dev/null &
PID=$$
while sleep 30; do
  who | grep -q $USER || break;
done
kill $PID
(note that this is untested)

Original comment by aagaa...@gmail.com on 12 Feb 2012 at 6:26

[GoogleCodeExporter]

I see what you are saying about it not unmounting if anything is open, you are 
thinking that the encfs would be their home directory so files like history 
would be open... I don't want the encfs to be their home area, i want it to be 
a seperate area.

I get what you are saying about using "who" to check how many sessions the user 
has. I could build that into the code possibly. Let me take a look.

Original comment by mensrifl...@googlemail.com on 12 Feb 2012 at 6:46

[GoogleCodeExporter]

ok, adding this at the very top of the pam_sm_close_session function seems to 
do the trick, will have to test properly and think through the implications:

    // CHANGE START - unmount only on last session termination
    int rval;
    const char *user = NULL;
    FILE *fp;
    char logins[4];
    int loginsInt;

    rval = pam_get_user(pamh, &user, NULL);
    if ((rval != PAM_SUCCESS) || (!user))
    {
        _pam_log(LOG_ERR, "pam_sm_close_session: can't get username: %s", pam_strerror(pamh, rval));
        return PAM_SERVICE_ERR;
    }

    fp = popen("who | grep -v grep | grep test | wc -l", "r");
    if (fp == NULL)
    {
      _pam_log(LOG_ERR,"pam_sm_close_session: Failed to run login check command\n" );
      /* carry on and do normal behaviour, i.e. unmount */
    }
    else
    {
      if (fgets(logins, sizeof(logins)-1, fp) != NULL)
      {
        loginsInt = atoi(logins);
        _pam_log(LOG_INFO,"User %s has logins(%d)\n", user, loginsInt);
        if ( loginsInt > 0 )
        {
          _pam_log(LOG_INFO,"Will not dismount encfs filesystem\n");
           return PAM_IGNORE;
        }
      }
      else
      {
        _pam_log(LOG_ERR,"pam_sm_close_session: Failed to capture result from login check command\n");
        /* carry on and do normal behaviour, i.e. unmount */
      }
    }

    _pam_log(LOG_INFO,"Dismounting encfs filesystem\n");
    // CHANGE END

Original comment by mensrifl...@googlemail.com on 12 Feb 2012 at 7:06

[GoogleCodeExporter]

i notice that "who" does not capture sftp connections..

changed to:
    sprintf(cmd,"ps auxww | grep -v grep | grep sshd | egrep '^%s' | wc -l",user);
    fp = popen( cmd, "r");
and
 if ( loginsInt > 1 )

Original comment by mensrifl...@googlemail.com on 12 Feb 2012 at 8:39