Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 652194

Summary: sys-auth/pambase - rework gnome-keyring support
Product: Gentoo Linux Reporter: Alexander Tsoy <alexander>
Component: Current packagesAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Severity: normal CC: gnome, leho, poncho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Attachments: pambase-20150213-gnome-keyring.patch

Description Alexander Tsoy 2018-04-02 10:31:03 UTC
Created attachment 526312 [details, diff]

pambase[gnome-keyring] is broken in multiple ways:

1. gnome-keyring for years support only one instance per user. See [1]. Socket has fixed location. Each new instance rewrite the socket and make instances launched in previously opened sessions unusable. For example if you open a GUI session first and then login via ssh, then gnome-keyring in a GUI session will stop working.
2. pambase[gnome-keyring] prevents unlocking of login keyring in gnome-keyring-3.28 when the GUI session is started via gdm. See [2] (Thanks to Poncho for pointing this out). This is presumably due to both gdm and pambase pam configs include pam_gnome_keyring entries.
3. ssh sessions spawn gnome-keyring processes that does not get stopped automatically on logout.
4. Changing user password doesn't change login keyring password.

Thus gnome-keyring should be started from the GUI sessions only and I'm suggesting the following changes to pambase (see attached patch):
- remove gnome-keyring "auth" and "session" entries from pambase;
- move "password" entry from pam.d/system-login to pam.d/passwd.

Also maybe a good idea to start adding gnome-keyring support to other login managers (other than gdm). An example for lightdm: [3].

Comment 1 Alexander Tsoy 2018-04-02 10:34:28 UTC
Created attachment 526314 [details, diff]
Comment 2 Leho Kraav (:macmaN @lkraav) 2018-07-18 07:44:44 UTC
Thanks for the investigation work.

Who needs to approve what to get to the next step here?

Would be nice to maybe have a masked ebuild in the tree or overlay for easier testing on a wider surface?
Comment 3 Pavel 2018-07-25 12:27:18 UTC
I'm very supportive of this undertaking. Every few month there is a bug like: "pam change A,B and C break gnome-keyring"

What if we make an another PAM config called, say, "xsession_session" and shove all gnome/systemd specific PAM configs there? This way, desktop manager maintainers don't have to think anything about specific polkit/consolekit/systemd/elogind setup a user have.
Comment 4 Pacho Ramos gentoo-dev 2018-09-23 16:46:40 UTC
[master fadc9f49e11f] sys-auth/pambase: Fix gnome-keyring (#652194 by Alexander Tsoy)
 1 file changed, 106 insertions(+)
 create mode 100644 sys-auth/pambase/pambase-20150213-r2.ebuild
Comment 5 cyrillic 2018-09-23 19:21:21 UTC
(In reply to Pacho Ramos from comment #4)

>  1 file changed, 106 insertions(+)

It would be good to upload the patch also :)
Comment 6 Pacho Ramos gentoo-dev 2018-09-23 19:34:52 UTC
oh yes :S
[master 669c574f742d] sys-auth/pambase: Commit forgotten patch
 1 file changed, 48 insertions(+)
 create mode 100644 sys-auth/pambase/files/pambase-20150213-gnome-keyring.patch