Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 330995

Summary: sys-auth/pam_mount causes error in app-admin/sudo: HXproc_run_async: pmvarrun: No such file or directory
Product: Gentoo Linux Reporter: Ihar Hrachyshka <ihar.hrachyshka>
Component: [OLD] Core systemAssignee: Hanno Böck <hanno>
Severity: normal CC: base-system, gef.kornflakes, hkmaly, mephinet, mlspamcb, pam-bugs+disabled, rdwald
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Ihar Hrachyshka 2010-08-03 09:25:24 UTC
After upgrading to sudo-1.7.3, I get the following warning messages when running sudo with any command:
user@host ~ $ sudo true
HXproc_run_async: pmvarrun: No such file or directory
HXproc_run_async: pmvarrun: No such file or directory

Though sudo works, these messages are not that convenient. Downgrading to sudo-1.7.2* temporarily fixes the problem.

user@host ~ $ whereis pmvarrun
pmvarrun: /usr/sbin/pmvarrun /usr/share/man/man8/pmvarrun.8.bz2
user@host ~ $ equery belongs /usr/sbin/pmvarrun
[ Searching for file(s) /usr/sbin/pmvarrun in *... ]
sys-auth/pam_mount-2.1 (/usr/sbin/pmvarrun)
user@host ~ $ 

I use pam_mount to mount encrypted /home/user partition when signing in (and unmounting it when user is not logged in anymore). Here are some configuration files:

user@host ~ $ cat /etc/pam.d/system-auth 
auth            required 
auth            required try_first_pass likeauth nullok 
auth            optional
account         required 
password        required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        required try_first_pass use_authtok nullok sha512 shadow 
session         required 
session         required 
session         required 
session         optional
session         optional

user@host ~ $ cat /etc/security/pam_mount.conf.xml 
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
        See pam_mount.conf(5) for a description.


                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0" />

                <!-- Volume definitions -->
<volume user="user" fstype="crypt" path="/dev/sda3" mountpoint="/home/user" fskeyhash="sha1"/>

                <!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

user@host ~ $ 

Reproducible: Always

Steps to Reproduce:
1. emerge sudo-1.7.3, pam_mount-2.1.
2. Alter system-auth PAM configuration file to use pam_mount authentication module.
3. setup pam_mount-2.1 with encrypted home partition (possibly not needed).
4. run 'sudo any_command'

user@host ~ $ emerge --info
Portage (default/linux/amd64/10.0/desktop, gcc-4.4.3, glibc-2.11.2-r0, 2.6.34-gentoo-r1 x86_64)
System uname: Linux-2.6.34-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-1.12.13
Timestamp of tree: Mon, 02 Aug 2010 22:30:01 +0000
app-shells/bash:     4.0_p37
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r2, 3.1.2-r3
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.3-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.1 PUEL skype-eula"
CFLAGS="-O2 -pipe -march=native"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /usr/local/portage"
USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cscope cups cxx dbus djvu dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gimp gpm gtk hal iconv ipv6 jpeg laptop lcms ldap libnotify mad matroska mikmod mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl png ppds pppd python qt3support qt4 readline reflection samba sdl session sound speex spell spl sse sse2 ssl startup-notification stream svg sysfs tcpd theora tiff truetype udev unicode usb vim-syntax vorbis x264 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-03 09:33:16 UTC
Hmm I don't think you should be using pam_mount with system-auth but rather with system-login. Semantics do change a lot.
Comment 2 Ihar Hrachyshka 2010-08-03 09:44:35 UTC
Thanks, Diego, this helps.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-03 09:50:50 UTC
of course it's not a complete fix, as it shouldn't be printing that repeatedly... I wonder why it doesn't actually hardcode the full path in the module... and why it installs in /usr/sbin at all, it seems it should be in /usr/libexec to me.

But Hanno will know better :)
Comment 4 Ihar Hrachyshka 2010-08-03 22:01:30 UTC
Actually, the 'fix' didn't work - it worked for me just because I was already logged in so there was no need to mount home partition. I didn't manage to setup pam_mount module to be loaded by PAM when using system-login so I reverted back to system-auth file and it works again.

Diego, could you suggest documentation on how to set pam_mount up with system-login file? Currently it's beyond my understanding.
Comment 5 Randall Wald 2010-08-04 19:40:07 UTC
I'm running into the same bug with sudo-1.7.3 and pam_mount...what configuration files do you guys want?
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-04 19:47:55 UTC
I really don't understand, 1.7.3 shows no change in PATH handling. But whatever the problem, I can't see why pam_mount should rely on PATH being set at all.

Hanno can you make it hardcode the path during build?
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-04 20:02:44 UTC
I already receive two message for chagne in this bug, no more please.
Comment 8 Nico Baggus 2010-08-20 01:58:22 UTC
The solution for me was:
modify the <pmvarrun   /> entry to point to /usr/sbin/pmvarrun
by default it is appearantly searchfor in the users path (and an ordinary users doesn't have /usr/sbin in its path).

Also note that the upgrade of pam_mount wipes the pam_mount.conf.xml not nice.
Luckily I had a backup of it.

This also isn't  sudo problem but a pam_mount problem
Comment 9 Gef 2010-10-30 00:56:09 UTC
(In reply to comment #8)
> The solution for me was:
> modify the <pmvarrun   /> entry to point to /usr/sbin/pmvarrun
> by default it is appearantly searchfor in the users path (and an ordinary users
> doesn't have /usr/sbin in its path).

I can confirm the following line in pam_mount.conf.xml helps for non-root logins:
<pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
Comment 10 Hanno Böck gentoo-dev 2010-11-28 01:57:25 UTC
I've now changed pam_mount to install pmvarrun to bin instead of sbin. This should fix this. I've also sent this upstream, let's see if he likes this solution or if we find another one.