Home / server / Questions / 1082119
Accepted
Lucio Crusca
Asked: 2021-10-30 09:19:31 +0800 CST

mount.ecryptfs_private in .xsession started by nodm/lightdm complains with "mount: no such file or directory"

  • 772

I'm trying to decrypt the Private directory inside a user $HOME automatically at system startup. The system is a Debian GNU/Linux 10 (actually a Raspbian, but I assume it's no different to this end) that uses NoDM to start Xorg.

EDIT 1: I've now tried installing a clean Debian 11 with Nodm in a virtual machine and I face exactly the same problem described here below.

Nodm automatically logs the unprivileged user in, and it runs the $HOME/.xsession startup script.

I have the following script, that is being called by .xsession:

#!/bin/bash -x
# Original by Michael Halcrow, IBM
# Extracted to a stand-alone script by Dustin Kirkland
# Edited on 2021-10-28 by Lucio Crusca

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PD="Private"    
WPF="$HOME/.ecryptfs/wrapped-passphrase"
MPSF="$HOME/.ecryptfs/$PD.sig"

if /sbin/mount.ecryptfs_private ; then
    exit 0
fi

if [ -f "$WPF" -a -f "$MPSF" ]; then
        if [ $(wc -l < "$MPSF") = "1" ]; then
            if printf "%s\0" "$LP" | ecryptfs-unwrap-passphrase "$WPF" - | ecryptfs-add-passphrase -; then
                echo Ok
            else
                echo incorrect LP
                exit 1
            fi
        else
            if printf "%s\0" "$LP" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WPF" - ; then
                echo Ok
            else
                echo incorrect LP
                exit 1
            fi
        fi
    /sbin/mount.ecryptfs_private
else
    echo Setup error
    exit 1
fi
exit 0

It is a stripped down version of /usr/bin/ecryptfs-mount-private. It executes just the same commands, but it expects the LP environment variable to contain the passphrase instead of asking for the passphrase interactively.

I saved this script as $HOME/el-mount.sh. When my system boots and NoDM starts, it executes .xsession that in turn calls my script, redirecting stdout and stderr to a logfile for debug. The thing does not work, in that it outputs this:

...
+ /sbin/mount.ecryptfs_private
mount: No such file or directory

However if I connect to the system via ssh and run the same el-mount.sh script, logged in as the same user configured in NoDM, the script flawlessy works. Just in case you wonder, the LP variable is correctly set in both cases (already checked in the logfile).

I've already tried switching from NoDM to lightdm-autologin-greeter, but I get just the same outcome.

How do I make mount.ecryptfs_private work when called during autologin?

debian ecryptfs

1 Answers

  1. Best Answer

    I've finally sorted it out. The problem is Debian bug 870126 that's still open. Until someone will fix it you'll have to work around it by manually adding:

     session    optional   pam_keyinit.so force revoke

    to /etc/pam.d/nodm (or other pam configuration file, depending on your display manager).

    • 0