As I talked about here, I wanted to move my personal media folders to my server so my Documents, etc. are available from numerous places on my network without having my Desktop PC running. Also, my server has automated backups so my personal stuff will be a bit more secure this way. I tried and failed using systemd to do this (see the above link). Eventually, during my research I got a hint that PAM (Pluggable Authentication Modules) had this feature, called logically enough - pam.mount.
This is sort-of an experiment to see if this can be done well and will no doubt go through some changes as I fine-tune the usage of pam.mount
So I searched and read but still ran into all sorts of trouble until I stumbled on the answer myself. Seems that activating and configuring pam.mount is rather simple but getting USER rather than root mounts to work is, at last as far as I can tell undocumented or incomplete on the web. Well it must be somewhere, I just couldn't find it.
The original purpose of pam.mount was to mount network shares when the user logged in so that boot wasn't hung by them and to release the network mounts when not actually needed. My purpose was slightly different - they are network mounts but I want them solely accessible by and for the user logged in and no others, and I wanted to have this happen for every user. Since each user (5 of them) would have 6 personal folders mounted (Documents, Downloads, Music, Pictures, Projects, and Videos) and 1 public folder, that's 35 mounts, and more if I added any more users. That's a lot in fstab. I didn't want to use symlinks (the easiest way to do this) I wanted bind mounts because they act more like local folders.
My boundaries for this purpose were: A little as possible in /etc/fstab, no additional sudo rules (to allow users to mount their own folders), and using NFSv4 to mount the shared folders (also means less in fstab), functionality as transparent to the end user as possible.
I also us btrfs everywhere and subvolumes are part of the setup. I will skip the mounting and creation of the folders on the server and how they're mounted.
For this how-to you need only know:
NFSv4 allows to to export and mount a single folder and access everything under it at the same mount. This means one line in fstab and one in exports.
Activating PAM.MOUNT and getting the bind mounts working:
Getting pam.mount active was simple, the files are in /etc/pam.d
Edit "common-auth" /etc/pam.d/login and add
auth optional pam_mount.so
to the end and edit "common-session" adding
session optional pam_mount.so
to the end.
Edit /etc/pam.d/login and add
to the files and save.
You then need to create a file named "pam_mount.conf.xml" in /etc/security and another file of the same name that's hidden in your home.
In /etc/securitypam_mount.conf.xml, I entered this:
This activates pam.mount and looks in the user's home folder for private mounts. If you have of things you want root to mount, you can add them here.
Then in each user's home I created .pam_mount.conf.xml and added;
The individual user file is the part I figured out on my own. If you put the %(USER) mounts in the main xml file, they're mounted as "root" instead of the user and then fail because root doesn't have these folders. I will probably move the private and public main mounts out of fstab and into the root pam.mount config.
There are dozens of other options when using pam.mount and I'm excited to dig a little deeper and really fine-tune this.
I also haven't fully tested this; server not on at login, server failing while logged in, etc., so more to do.
This is sort-of an experiment to see if this can be done well and will no doubt go through some changes as I fine-tune the usage of pam.mount
So I searched and read but still ran into all sorts of trouble until I stumbled on the answer myself. Seems that activating and configuring pam.mount is rather simple but getting USER rather than root mounts to work is, at last as far as I can tell undocumented or incomplete on the web. Well it must be somewhere, I just couldn't find it.
The original purpose of pam.mount was to mount network shares when the user logged in so that boot wasn't hung by them and to release the network mounts when not actually needed. My purpose was slightly different - they are network mounts but I want them solely accessible by and for the user logged in and no others, and I wanted to have this happen for every user. Since each user (5 of them) would have 6 personal folders mounted (Documents, Downloads, Music, Pictures, Projects, and Videos) and 1 public folder, that's 35 mounts, and more if I added any more users. That's a lot in fstab. I didn't want to use symlinks (the easiest way to do this) I wanted bind mounts because they act more like local folders.
My boundaries for this purpose were: A little as possible in /etc/fstab, no additional sudo rules (to allow users to mount their own folders), and using NFSv4 to mount the shared folders (also means less in fstab), functionality as transparent to the end user as possible.
I also us btrfs everywhere and subvolumes are part of the setup. I will skip the mounting and creation of the folders on the server and how they're mounted.
For this how-to you need only know:
The public folders are mounted in fstab in a single NFSv4 entry at "/shared" on my desktop.
The private folders are mounted in the same way at "/mnt/private".
If I access /mnt/private directly as my user, I see five folders there - one for each user - but I cannot access them other than my own due to having permissions at 700.
My goal is to bind-mount each of the folders to my user home as I log in and unmount them when I log out.The private folders are mounted in the same way at "/mnt/private".
If I access /mnt/private directly as my user, I see five folders there - one for each user - but I cannot access them other than my own due to having permissions at 700.
NFSv4 allows to to export and mount a single folder and access everything under it at the same mount. This means one line in fstab and one in exports.
Activating PAM.MOUNT and getting the bind mounts working:
Getting pam.mount active was simple, the file
auth optional pam_mount.so
to the end and edit "common-session" adding
session optional pam_mount.so
to the end.
Edit /etc/pam.d/login and add
#added for pam_mount
auth required pam_mount.so
auth required pam_unix.so use_first_pass
session optional pam_mount.so
session required pam_unix.so
auth required pam_mount.so
auth required pam_unix.so use_first_pass
session optional pam_mount.so
session required pam_unix.so
You then need to create a file named "pam_mount.conf.xml" in /etc/security and another file of the same name that's hidden in your home.
In /etc/securitypam_mount.conf.xml, I entered this:
Code:
[FONT=monospace]<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<luserconf name=".pam_mount.conf.xml" />
<mntoptions allow="*" />
<mntoptions deny="" />
<mntoptions require="" />
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="false" />
</pam_mount>
[/FONT]
Then in each user's home I created .pam_mount.conf.xml and added;
Code:
[FONT=monospace][COLOR=#000000]<?xml version="1.0" encoding="utf-8" ?>[/COLOR]
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<!-- Volume definitions -->
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="false" />
<volume options="bind" path="/mnt/private/%(USER)/Documents/" mountpoint="/home/%(USER)/Documents/" />
<volume options="bind" path="/mnt/private/%(USER)/Downloads/" mountpoint="/home/%(USER)/Downloads/" />
<volume options="bind" path="/mnt/private/%(USER)/Music/" mountpoint="/home/%(USER)/Music/" />
<volume options="bind" path="/mnt/private/%(USER)/Pictures/" mountpoint="/home/%(USER)/Pictures/" />
<volume options="bind" path="/mnt/private/%(USER)/Projects/" mountpoint="/home/%(USER)/Projects/" />
<volume options="bind" path="/mnt/private/%(USER)/Videos/" mountpoint="/home/%(USER)/Videos/" />
</pam_mount>[/FONT]
There are dozens of other options when using pam.mount and I'm excited to dig a little deeper and really fine-tune this.
I also haven't fully tested this; server not on at login, server failing while logged in, etc., so more to do.
Comment