What steps will reproduce the problem? 1. login as user on a tty1 2. login as the same user on tty2 3. logout from tty1; the encrypted home will be unmounted

What is the expected output? What do you see instead?

I would expect the encrypted directory will remain mounted until the user logs out the very last session (i.e. from tty2 in the example).

What version of the product are you using? On what operating system?

Linux, gentoo, pam-encfs-0.1.4.4

Please provide any additional information below.

Just ask whatever needed.

Hm, thats odd. Your login should block the umount from working (as it should lock the directory as being in use).

This "flaw" is actually by design. I could count the amuont of times a user is logged in. But its safer to just try a umount every time, as it shouldn't succeed if user is logged in.

I assume your doing this directly in a terminal? What shell are you using? Where is your $HOME set and can you attach your pam_encfs.conf file?

Thanks for dealing with the issue. Here are the answers:

I assume your doing this directly in a terminal? Yes. I just switch to tty5 (alt+F5), log in as user, switch to tty6 (alt+F6), log in as the same user. Then I log out from tty5 by ctrl+d.

What shell are you using? bash

Where is your $HOME set To /home/dtihelka

and can you attach your pam_encfs.conf file? Yes, see the attachment.

Hm, this is odd.

what file system are you using on wherever pam_encfs is mounting home from?

Hallo,

I use ext4 without journaling (on SSD). I also use 'elevator=noot' as kernel boot option, although I suppose that is should not be related with the issue.

Sorry about the lack of reply on this.

This is a limitation of the module right now. In general the filsystem should lock any mount you are using files in. And bash did in my testing also do this. I unfortunately don't have the resources right now to implement a fix for this.

I'd be happy to accept a patch though!

OK. Could you, please, give me some hints/ideas how to implement the fix? I am not very familiar with PAM, but I believe that with some knowledge (what to implement and how, if possible) I could be able to make the patch.

Absolutely.

What you wanna be looking at is pam_sm_authenticate, possibly pam_sm_open_session, and pam_sm_close_session.

Authenticate does the authentication and mounts. And open and close session opens and closes the session(!).

The logic is very simple now. During authenticate we try to auth by checking if we can do a successfull encfs mount (if we're not already mounted. If we're mounted we just return a PAM_IGNORE). And pam_sm_close_session just runs umount directly.

You'd probably want to hook open and close session, count how many times a user is logged in (securely). And umount only when that count reaches 0.

If you make a patch, or get stuck anywhere, feel free to ask for help :)