Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pulseaudio fails to automatically start on login when the home directory is encrypted #270

Closed
mahiarmody opened this issue Dec 5, 2020 · 6 comments
Labels

Comments

@mahiarmody
Copy link

My environment is the Ubuntu 20.04. I installed fscrypt after compiling from source as described on this GitHub site. After installing fscrypt I noticed that pulseaudio failed to automatically start after login. I had to explicitly start pulseaudio manually each time using:
pulseaudio --start

Here are my system details:

Kernel version:
5.4.0-56-generic

Ubuntu details:
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

fscrypt version:
fscrypt version v0.2.9-11-gcc933cd

To fix this issue permanently, I had to make the following change:

In file /etc/pam.d/common-session move the line containing pam_systemd.so below the line
containing pam_fscrypt.so.

So, in file: /etc/pam.d/common-session change the "Additional block" section like so:

FROM:

# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_systemd.so
session optional /usr/lib/security/pam_fscrypt.so drop_caches lock_policies
# end of pam-auth-update config

TO:

# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional /usr/lib/security/pam_fscrypt.so drop_caches lock_policies
session optional pam_systemd.so
# end of pam-auth-update config

I found this fix by referring to the following link:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416

It would be great if this could be handled automatically at install time.

Thank you.

@petergardfjall
Copy link

I can confirm the issue. I'm also running Ubuntu 20.04.1 LTS, 5.4.0-56-generic (though I'm on Xubuntu).
fscrypt v0.2.9 built from source.

I didn't dare fiddling with pam settings, but just manually run systemctl --user restart pulseaudio.service after login. I'll look into you solution.

@mahiarmody
Copy link
Author

Actually, I've found another way of handling this issue. One that does not require a direct edit to be made to the
/etc/pam.d/common-session file. Perhaps this is a better way. Not sure. I'll leave it to the viewer to decide. Here we go:

Find the pam_unix.so and pam_systemd.so configuration files
Find the files that pertain to the configurations of pam_unix.so and pam_systemd.so in the directory:
/usr/share/pam-configs/

This can be done like so:
grep -i -l "pam_unix.so\|pam_systemd.so" /usr/share/pam-configs/*

Output:

/usr/share/pam-configs/systemd
/usr/share/pam-configs/unix

Obtain the Name: & Priority: attributes/properties
Once the relevant file names are obtained, identify the Name: and Priorty: attributes/properties of all the files in the above-mentioned directory namely: /usr/share/pam-configs/
This can be done like so:
grep -i "Priority:\|Name:" /usr/share/pam-configs/*

Output:

/usr/share/pam-configs/capability:Name: Inheritable Capabilities Management
/usr/share/pam-configs/capability:Priority: 0
/usr/share/pam-configs/fprintd.amd64:Name: Fingerprint authentication
/usr/share/pam-configs/fprintd.amd64:Priority: 260
/usr/share/pam-configs/fscrypt:Name: fscrypt PAM passphrase support
/usr/share/pam-configs/fscrypt:Priority: 252
/usr/share/pam-configs/gnome-keyring:Name: GNOME Keyring Daemon - Login keyring management
/usr/share/pam-configs/gnome-keyring:Priority: 0
/usr/share/pam-configs/mkhomedir:Name: Create home directory on login
/usr/share/pam-configs/mkhomedir:Priority: 0
/usr/share/pam-configs/systemd:Name: Register user sessions in the systemd control group hierarchy
/usr/share/pam-configs/systemd:Priority: 0
/usr/share/pam-configs/unix:Name: Unix authentication
/usr/share/pam-configs/unix:Priority: 256

Select a new priority number for fscrypt
Next, choose a priority number that is between the priority numbers listed for the files /usr/share/pam-configs/unix
and /usr/share/pam-configs/systemd ensuring that the chosen priority number is unique and is not used by any other file in the above-mentioned directory (viz. /usr/share/pam-configs/)

Referring to the example above, we have:
/usr/share/pam-configs/systemd: Priority: 0
/usr/share/pam-configs/unix: Priority: 256

So, the priority number must be between 0 and 256. Say we arbitrarily choose a priority number of: 252. Set this arbitrarily chosen priority number viz. 252 as the priority for the file:
/usr/share/pam-configs/fscrypt

So, change the contents of file: /usr/share/pam-configs/fscrypt

FROM:

Name: fscrypt PAM passphrase

support
Default: yes
Priority: 0
Auth-Type: Additional
Auth-Final:
optional /usr/lib/security/pam_fscrypt.so
Session-Type: Additional
Session-Interactive-Only: yes
Session-Final:
optional /usr/lib/security/pam_fscrypt.so drop_caches lock_policies
Password-Type: Additional
Password-Final:
optional /usr/lib/security/pam_fscrypt.so

TO:

Name: fscrypt PAM passphrase support
Default: yes
Priority: 252
Auth-Type: Additional
Auth-Final:
optional /usr/lib/security/pam_fscrypt.so
Session-Type: Additional
Session-Interactive-Only: yes
Session-Final:
optional /usr/lib/security/pam_fscrypt.so drop_caches lock_policies
Password-Type: Additional
Password-Final:
optional /usr/lib/security/pam_fscrypt.so

Note of the "Name:" attribute/property of the configuration files
Next, make a note of the "Name:" attribute/property of the files:
/usr/share/pam-configs/fscrypt
/usr/share/pam-configs/systemd
/usr/share/pam-configs/unix

In the above example they are respectively:
/usr/share/pam-configs/fscrypt: Name: fscrypt PAM passphrase support
/usr/share/pam-configs/systemd: Name: Register user sessions in the systemd control group hierarchy
/usr/share/pam-configs/unix: Name: Unix authentication

Based on our recent changes to the Priority: attribute, the modules should be ordered according to priority as:
Unix authentication (Priority: 256)
fscrypt PAM passphrase support (Priority: 252)
Register user sessions in the systemd control group hierarchy (Priority: 0)
in the next step

Verify and update the module configuration changes
Next, run the command: sudo pam-auth-update

In screen that opens ensure that in the displayed modules are ordered such that the module
Unix authentication comes before module
fscrypt PAM passphrase support, which comes before module
Register user sessions in the systemd control group hierarchy

Tab to the <Ok> option at the bottom of the screen

For example:

PAM profiles to enable:

 [ ] Fingerprint authentication     
 [*] Unix authentication   
 [*] fscrypt PAM passphrase support  
 [*] Register user sessions in the systemd control group hierarchy 
 [ ] Create home directory on login 
 [*] GNOME Keyring Daemon - Login keyring management  
 [*] Inheritable Capabilities Management 

Verify changes are automatically reflected
Now, verify that the file /etc/pam.d/common-session is correctly ordered. This can be easily verified like so:
cat /etc/pam.d/common-session

Output:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of any kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional /usr/lib/security/pam_fscrypt.so drop_caches lock_policies
session optional pam_systemd.so
# end of pam-auth-update config

That's it

ramcq added a commit to ramcq/fscrypt that referenced this issue Mar 2, 2021
Services launched by systemd user sessions on Debian / Ubuntu systems are often not able to access the home directory, because there is no guarantee / requirement that pam_fscrypt is sequenced before pam_systemd. Although this pam-config mechanism is Debian-specific, the config file is provided here upstream and unmodified in Debian. Raising the priority here so that it's always ordered ahead of pam_systemd will solve issues such as google#270, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.
@ramcq
Copy link
Contributor

ramcq commented Mar 2, 2021

The Debian/Ubuntu pam-config for fscrypt is defined upstream, namely here - https://github.com/google/fscrypt/blob/master/pam_fscrypt/config#L3 - so a simple MR can solve this bug for Debian & derivs: #278

Also noting here that if you have "lingering" enabled for your user in logind, then systemd will launch the user session at system boot time, causing the same problem. loginctl disable-linger <user> is required in this case.

ramcq added a commit to ramcq/fscrypt that referenced this issue Mar 3, 2021
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.

Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as google#270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.

After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
ebiggers pushed a commit that referenced this issue Mar 3, 2021
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.

Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as #270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.

After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
@ebiggers
Copy link
Collaborator

ebiggers commented Mar 9, 2021

This was fixed for users of Debian-based distros (distros using pam-config-framework) by increasing the priority of pam_fscrypt (#278). The improved documentation (#281 and an Arch Wiki update) also addressed this issue for users of non-Debian-based distros, to the extent possible.

Please note that this issue won't be fixed in the libpam-fscrypt Ubuntu package until a new release of fscrypt is made and Ubuntu upgrades to that version. However, you can always install the latest version of fscrypt from source, or fix the PAM configuration file yourself.

@ebiggers ebiggers closed this as completed Mar 9, 2021
@bk138
Copy link

bk138 commented Jun 20, 2021

Just stumbled over this and want to mention for other readers that the fix is not yet integrated into the Debian package at the time of writing this. Related Debian bug is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986688

@ebiggers ebiggers added the bug label Jun 27, 2021
@bill88t
Copy link

bill88t commented Feb 22, 2022

Just stumbled over this and want to mention for other readers that the fix is not yet integrated into the Debian package at the time of writing this. Related Debian bug is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986688

It's 22/2/22 and I had do it manually on Raspberry Pi OS bullseye..
But it fixed it.
Debian derivatives really take their sweet time implementing fixes onto the packages...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants