11.10.33 Service PAM de montage

Le module (gnu services pam-mount) fournit un service qui permet de monter des volumes à la connexion de l’utilisateur·rice. Il peut monter n’importe quel format de volume pris en charge par le système.

Variable :pam-mount-service-type

Type de service pour la prise en charge de PAM Mount.

Type de données :pam-mount-configuration

Type de données représentant la configuration de PAM Mount.

Il prend les paramètres suivants :

rules

Les règles de configuration utilisées pour générer /etc/security/pam_mount.conf.xml.

Les règles de configuration sont des éléments SXML (voir SXML dans GNU Guile Reference Manual), et les valeurs par défaut ne montent rien pour personne à la connexion :

`((debug (@ (enable "0")))
  (mntoptions (@ (allow ,(string-join
                          '("nosuid" "nodev" "loop"
                            "encryption" "fsck" "nonempty"
                            "allow_root" "allow_other")
                          ","))))
  (mntoptions (@ (require "nosuid,nodev")))
  (logout (@ (wait "0")
             (hup "0")
             (term "no")
             (kill "no")))
  (mkmountpoint (@ (enable "1")
                   (remove "true"))))

Certains éléments de volume doivent être ajoutés pour automatiquement monter des volumes à la connexion. voici un exemple qui permet à l’utilisatrice alice de monter son répertoire HOME chiffré et permet à l’utilisateur bob de monter la partition où il stocke ses données :

(define pam-mount-rules
`((debug (@ (enable "0")))
            (volume (@ (user "alice")
                       (fstype "crypt")
                       (path "/dev/sda2")
                       (mountpoint "/home/alice")))
            (volume (@ (user "bob")
                       (fstype "auto")
                       (path "/dev/sdb3")
                       (mountpoint "/home/bob/data")
                       (options "defaults,autodefrag,compress")))
            (mntoptions (@ (allow ,(string-join
                                    '("nosuid" "nodev" "loop"
                                      "encryption" "fsck" "nonempty"
                                      "allow_root" "allow_other")
                                    ","))))
            (mntoptions (@ (require "nosuid,nodev")))
            (logout (@ (wait "0")
                       (hup "0")
                       (term "no")
                       (kill "no")))
            (mkmountpoint (@ (enable "1")
                             (remove "true")))))

(service pam-mount-service-type
         (pam-mount-configuration
           (rules pam-mount-rules)))

La liste complète des options disponibles se trouve sur la page de manuel de pam_mount.conf.

PAM Mount Volume Service

PAM mount volumes are automatically mounted at login by the PAM login service according to a set of per-volume rules. Because they are mounted by PAM the password entered during login may be used directly to mount authenticated volumes, such as cifs, using the same credentials.

These volumes will be added in addition to any volumes directly specified in pam-mount-rules.

Here is an example of a rule which will mount a remote CIFS share from //remote-server/share into a sub-directory of /shares named after the user logging in:

(simple-service 'pam-mount-remote-share pam-mount-volume-service-type
                (list (pam-mount-volume
                       (secondary-group "users")
                       (file-system-type "cifs")
                       (server "remote-server")
                       (file-name "share")
                       (mount-point "/shares/%(USER)")
                       (options "nosuid,nodev,seal,cifsacl"))))

Data Type :pam-mount-volume-service-type

Configuration for a single volume to be mounted. Any fields not specified will be omitted from the run-time PAM configuration. See the man page for the default values when unspecified.

user-name (type: maybe-string)

Mount the volume for the given user.

user-id (type: maybe-integer-or-range)

Mount the volume for the user with this ID. This field may also be specified as a pair of (start . end) indicating a range of user IDs for whom to mount the volume.

primary-group (type: maybe-string)

Mount the volume for users with this primary group name.

group-id (type: maybe-integer-or-range)

Mount the volume for the users with this primary group ID. This field may also be specified as a cons cell of (start . end) indicating a range of group ids for whom to mount the volume.

secondary-group (type: maybe-string)

Mount the volume for users who are members of this group as either a primary or secondary group.

file-system-type (type: maybe-string)

The file system type for the volume being mounted (e.g., cifs)

no-mount-as-root? (type: maybe-boolean)

Whether or not to mount the volume with root privileges. This is normally disabled, but may be enabled for mounts of type fuse, or other user-level mounts.

server (type: maybe-string)

The name of the remote server to mount the volume from, when necessary.

file-name (type: maybe-string)

The location of the volume, either local or remote, depending on the file-system-type.

mount-point (type: maybe-string)

Where to mount the volume in the local file-system. This may be set to ~ to indicate the home directory of the user logging in. If this field is omitted then /etc/fstab is consulted for the mount destination.

options (type: maybe-string)

The options to be passed as-is to the underlying mount program.

ssh? (type: maybe-boolean)

Enable this option to pass the login password to SSH for use with mounts involving SSH (e.g., sshfs).

cipher (type: maybe-string)

Cryptsetup cipher name for the volume. To be used with the crypt file-system-type.

file-system-key-cipher (type: maybe-string)

Cipher name used by the target volume.

file-system-key-hash (type: maybe-string)

SSL hash name used by the target volume.

file-system-key-file-name (type: maybe-string)

File name of the file system key for the target volume.