Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600216

Summary: gnome-base/gnome-keyring: root instance of gnome-keyring-daemon spawned on every x11-misc/lightdm start attempt
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Gentoo Linux Gnome Desktop Team <gnome>
Status: CONFIRMED ---    
Severity: normal CC: alexander, hwoarang, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-11-19 07:03:42 UTC
I've just had X11 failing to start and noticed that each attempt of starting lightdm resulted in a new gnome-keyring-daemon instance being started for root. Looks like pam_gnome_keyring is at fault here.

While failing X11 is a corner case and normally people won't have ton of gnome-keyring-daemons started, I don't see why it would need to start this daemon for root when starting a login manager.

Also, it should probably be capable of cleaning up after itself. I think the session end goes through PAM anyway, doesn't it?
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-11-19 07:05:55 UTC
                        Package Settings

gnome-base/gnome-keyring-3.20.0::gentoo was built with the following:
USE="caps filecaps pam ssh-agent (-selinux) -test" ABI_X86="64"

x11-misc/lightdm-1.21.0::gentoo was built with the following:
USE="gnome gtk introspection -audit -kde -qt4 -qt5" ABI_X86="64"
Comment 2 Pacho Ramos gentoo-dev 2016-11-30 11:47:29 UTC
Maybe it is a dupe of bug 516848... and maybe this could be checked:
Comment 3 Pacho Ramos gentoo-dev 2018-09-23 16:48:02 UTC
please retry with pambase-20150213-r2
Comment 4 Alexander Tsoy 2018-09-25 15:12:40 UTC
(In reply to Pacho Ramos from comment #3)
> please retry with pambase-20150213-r2
It doesn't fix the root issue IMHO. lightdm ebuild shouldn't replace pam.d/lightdm-greeter. I don't see the point in including system-local-login in it.
Comment 5 Alexander Tsoy 2018-09-25 15:23:24 UTC
Lars, what do you think? pam.d/lightdm-greeter is only used by the greeter process, so it shouldn't include system-local-login. ebuild should just install upstream-provided config.

I see that fedora do the same:
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2018-09-26 08:53:59 UTC
Well, if this doesn't break my yubikey integration (which I need to test) I will merge it.
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2018-09-27 07:43:19 UTC
Unfortunately your PR breaks yubikey integration (which I added into system-local-login). Any chance we can fix this but still keeping system-local-login in pam.d/lightdm-greeter?
Comment 8 Larry the Git Cow gentoo-dev 2018-09-27 08:11:48 UTC
The bug has been closed via the following commit(s):

commit 39b530b86790bb5d4a909118be9457be22cf7ad3
Author:     Alexander Tsoy <>
AuthorDate: 2018-09-25 16:09:46 +0000
Commit:     Lars Wendler <>
CommitDate: 2018-09-27 07:41:13 +0000

    x11-misc/lightdm: use upstream lightdm-greeter pam config
    This pam configuration file is only used by the greeter process.
    Therefore is should't include system-local-login.
    Package-Manager: Portage-2.3.49, Repoman-2.3.10
    Signed-off-by: Alexander Tsoy <>

 .../lightdm/files/lightdm-1.28.0-pam-greeter.patch |  10 ++
 x11-misc/lightdm/lightdm-1.28.0-r1.ebuild          | 144 +++++++++++++++++++++
 2 files changed, 154 insertions(+)
Comment 9 Lars Wendler (Polynomial-C) gentoo-dev 2018-09-27 08:13:37 UTC
commit a53723eb13bfa401e1b48c0041518bafd25b96dd (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <>
Date:   Thu Sep 27 10:12:44 2018

    Revert "x11-misc/lightdm: use upstream lightdm-greeter pam config"
    This reverts commit 39b530b86790bb5d4a909118be9457be22cf7ad3.
    which was accidentally added.

Sorry for this...
Comment 10 Alexander Tsoy 2018-09-27 09:02:19 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #7)
> Unfortunately your PR breaks yubikey integration (which I added into
> system-local-login). Any chance we can fix this but still keeping
> system-local-login in pam.d/lightdm-greeter?
This particular bug is already fixed in pambase-20150213-r2. But I still think pam.d/lightdm-greeter shouldn't include system-local-login in the first place. IIUC the purpose of this pam config is to grant the user running lightdm-greeter GUI (if it is running as non-root user) permissions to reboot, shutdown, etc. The actual user logins should not be affected by this change.
Comment 11 Lars Wendler (Polynomial-C) gentoo-dev 2018-09-27 09:10:10 UTC
I can re-test this once again but what can we do here if it affects yubikey integration via system-local-login?