From 3429ffa48fe517a9d47d7f698a17822044a33694 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Mon, 11 May 2026 11:07:01 +0200 Subject: [PATCH] kwallet: unmount bind mount cleanly on session logout Switch kwalletd6-logon from --scope to a transient service with RemainAfterExit=yes (kwalletd6 forks to background, so the service must stay active after the main process exits). ExecStop runs 'sudo umount -l' to detach the wallet bind mount before gocryptfs unmounts ~/data (Before=gocryptfs-home.service ordering). install.sh adds a per-user sudoers drop-in so the user service can call umount as root without a password. Co-Authored-By: Claude Sonnet 4.6 --- client_software/0010_kwallet/install.sh | 8 ++++++++ client_software/0010_kwallet/user_run.sh | 7 ++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/client_software/0010_kwallet/install.sh b/client_software/0010_kwallet/install.sh index 0e6bb42..0c7f78e 100755 --- a/client_software/0010_kwallet/install.sh +++ b/client_software/0010_kwallet/install.sh @@ -125,4 +125,12 @@ if [[ $? -ne 0 ]]; then exit 1 fi echo "Done setting up kwallet from secure user folder." + +# Sudoers rule so kwalletd6-logon.service ExecStop can unmount the bind mount (needs root) +# Filename must not contain '.' or end in '~' or sudo ignores it +_SUDOUSER_SAFE=$(printf '%s' "${SUDO_USER}" | tr -dc 'a-zA-Z0-9_-') +printf '%s ALL=(root) NOPASSWD: /usr/bin/umount -l %s\n' "${SUDO_USER}" "${WALLETPATH_CFG}" \ + > "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}" +chmod 440 "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}" + exit 0 diff --git a/client_software/0010_kwallet/user_run.sh b/client_software/0010_kwallet/user_run.sh index 0cc2ede..47886f1 100755 --- a/client_software/0010_kwallet/user_run.sh +++ b/client_software/0010_kwallet/user_run.sh @@ -18,7 +18,12 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then fi #Restart the service -systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 & +WALLETPATH_CFG="${HOME}/.local/share/kwalletd" +systemd-run --user --unit=kwalletd6-logon \ + --property=RemainAfterExit=yes \ + --property=Before=gocryptfs-home.service \ + --property="ExecStop=/usr/bin/sudo /usr/bin/umount -l ${WALLETPATH_CFG}" \ + kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 & sleep 1 #Check if kwalletd is enabled now