On 05/03/2024 03:37, Andrey Dogadkin wrote:
On Sun, 2024-03-03 at 21:27 +0700, Max Nikulin wrote:https://github.com/systemd/systemd/issues/8598#issuecomment-376845082 "systemd-user doesn't properly close its PAM session"I saw that issue and it didn't strike me as related to my case, pam_mount works fine as long as I allow it to shoot everything down.
It may be tricky to properly finish all user processes before closing PAM session. Examples what may go wrong:
- pam-sd (systemd) dropped privileges and unable to perform umount- user@.service has not finished yet, so some processes from the systemd user service have files open - The process that should close PAM session is killed by systemd when user@.service is stopped. Should not happen with defauld systemd-logind settings in Debian.
The thing is, even if I set absurdly big wait delay in pam_mount's logout statement, I can still observe pulseaudio and dbus-daemon running throughout the whole delay period. Systemd makes no attempt to stop them before or while pam_mount is running, that's why it seems like an ordering problem rather than just things being late.
I think, systemd-logind should initiate termination of systemd user session when UserStopDelaySec is elapsed after all processes that belong to current PAM session are finished. It may include the process that is waiting before locking (closing) the encrypted device. Sounds like a kind of deadlock.
If pam_mount allows it, I would try to not unmount the device in pam_close and instead ask user@.service to do it.