This file is indexed.

/etc/security/pam_mount-stateless-debian-edu.conf is in debian-edu-config 1.702.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
# 
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.

debug 1
mkmountpoint 1
# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7

# Users' local configuration file (if there is none, comment out this
# parameter). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf).  The volume keyword is
# the only valid keyword in these per-user configuration files.  If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volume, then users may mount and unmount any volumes they specify.
# The mount operation is executed under the user account, not with
# root permissions.
# IMPORTANT: right now only smb and ncp mounts work in ~/.pam_mount.conf
# since they do not require root privileges! All other mount types
# have to be in the global configuration file.
# Please only file bugs about this if you can exactly show and prevent
# the security implications of user-specified mount commands.
#
# Format: luserconf <file>
# luserconf .pam_mount.conf

# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and all others
# permitted.
#
# You may use the wildcard '*' to match all options.
#
options_allow	nosuid,nodev,loop,encryption
# options_deny	suid,dev
# options_allow	*
# options_deny	*
#
# I recommend not permitting the suid and dev options.

# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require	nosuid,nodev

# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).

lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
#smbmount /usr/bin/smbmount   //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -nt smb //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /usr/bin/ncpmount   %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
ncpumount /usr/bin/ncpumount %(MNTPT)
# Linux supports lazy unmounting (-l).  May be dangerous for encrypted volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount   /bin/umount -l %(MNTPT)
# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount -n %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
# --bind may be a Linuxism.  FIXME: find BSD equivalent.
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
#mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)

# Volumes that will be mounted when user triggers pam_mount module
# (usually at login).
#
# Format:
# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
#
# Note that if the mount command has specified an option, eg %(KEYBITS)
# and you don't specify a value, a warning is printed in the log. The
# warning can usually be ignored, except when the option is mandatory.
#
# General examples:
#
# smb mounts require the "smbfs" Debian package
# smb mounts work also in user-specified config file ~/.pam_mount.conf
# volume user smb krueger public /home/user/krueger - - -
#
# ncp mounts require the "ncpfs" Debian package
# ncp mounts work also in user-specified config file ~/.pam_mount.conf
# volume user ncp krueger public /home/user/krueger user=user.context - -
#
# Linux encrypted home directory examples, using dm_crypt:
#
# crypt mounts require a kernel with CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT
# enabled as well as all the used ciphers (eg. CONFIG_CRYPTO_AES_586,
# CONFIG_CRYPTO_TWOFISH, etc.)
# crypt mounts require the "cryptsetup" Debian package.
# crypt mounts must be in the global config file /etc/security/pam_mount.conf
# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key
#
# Linux encrypted home directory examples, using cryptoloop:
#
# cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled
# cryptoloop mounts must be in the global config file
#  /etc/security/pam_mount.conf
# volume user local - /dev/hda123 /home/user loop,encryption=aes - -
# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
# volume user local - /home/user.img - - - -
# volume user local - /home/user.img - - aes-256-ecb /home/user4.key
#
# The last two examples need a line like the following in
# /etc/fstab:
#
# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0
#
# OpenBSD encrypted home directory example (see also lclmount above):
# volume user local - /home/user.img /home/user svnd0 - -
#
# Volatile tmpfs mount with restricted size
# (thanks to Mike Hommey for this example)
#
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - -
#
# Details:
# Local user configuration (~/.pam_mount.conf) can extend this.
#
# If there are no servers, mount options, fs key ciphers, etc. you must
# supply a "-"
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# 1.  Create a file containing the volume's password (FS key).  If you are
#     using pam_mount to mount an loopback encrypted volume, this password
#     should may generated by /dev/urandom.  
#
#     Simple example: 
#     echo <volume password> | openssl enc -aes-256-ecb > /home/user.key
#     Encrypt this file using the user's login password as the key.
#
#     Verbose loopback encrypted volume example:
#     a.  dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB>
#     b.  dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \
#         -<fs key cipher> > /home/user.key
#         Encrypt this file using the user's login password as the key.
#     c.  openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \
#         -k <keysize> -p0 /dev/loop0 /home/user.img
#     d.  mkfs -t ext2 /dev/loop0
#     e.  umount /dev/loop0
#     f.  losetup -d /dev/loop0
#
# 3.  In pam_mount.conf:
#	a.  Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
#	b.  Set the fs key path variable to the key's path (ie: /home/user.key)
# 4.  If a user changes his login password, regenerate the efsk that 
#     was created in step 1b.  A script named passwdehd is provided to do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's 
# password.

# Template (or wildcard) volumes
#
# If user is "*", "&" will be replaced by name of the user logging on in the
# volume, mount point, mount options and fs key path fields.  "~/*" will be
# replaced with "<user's homedir>/*."
#
# volume * smb krueger &     /home/&         uid=&,gid=&,dmask=0750 - -
# volume * smb krueger homes /home/&/remote  - - -
# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/&

# Windows 2000, which requires a domain specified, example (thanks John Knox):
# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -

# An NCP example:
# volume user ncp SERVER /USERS/Department/user /home/user user=user.full.context,uid=user,gid=user,symlinks - -
volume * nfs tjener /skole/tjener/home0 /skole/tjener/home0 nolock - - 
# volume * smb tjener shared /skole/tjener/shared - - -