Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 652194 - sys-auth/pambase - rework gnome-keyring support
Summary: sys-auth/pambase - rework gnome-keyring support
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: PAM Gentoo Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-02 10:31 UTC by Alexander Tsoy
Modified: 2018-09-23 19:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
pambase-20150213-gnome-keyring.patch (pambase-20150213-gnome-keyring.patch,1.33 KB, patch)
2018-04-02 10:31 UTC, Alexander Tsoy 		Details | Diff
pambase-20150213-r1.ebuild.patch (pambase-20150213-r1.ebuild.patch,1.38 KB, patch)
2018-04-02 10:34 UTC, Alexander Tsoy 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Tsoy 2018-04-02 10:31:03 UTC 
Created attachment 526312 [details, diff]
pambase-20150213-gnome-keyring.patch

pambase[gnome-keyring] is broken in multiple ways:

1. gnome-keyring for years support only one instance per user. See [1]. Socket has fixed location. Each new instance rewrite the socket and make instances launched in previously opened sessions unusable. For example if you open a GUI session first and then login via ssh, then gnome-keyring in a GUI session will stop working.
2. pambase[gnome-keyring] prevents unlocking of login keyring in gnome-keyring-3.28 when the GUI session is started via gdm. See [2] (Thanks to Poncho for pointing this out). This is presumably due to both gdm and pambase pam configs include pam_gnome_keyring entries.
3. ssh sessions spawn gnome-keyring processes that does not get stopped automatically on logout.
4. Changing user password doesn't change login keyring password.

Thus gnome-keyring should be started from the GUI sessions only and I'm suggesting the following changes to pambase (see attached patch):
- remove gnome-keyring "auth" and "session" entries from pambase;
- move "password" entry from pam.d/system-login to pam.d/passwd.

Also maybe a good idea to start adding gnome-keyring support to other login managers (other than gdm). An example for lightdm: [3].

[1] https://git.gnome.org/browse/gnome-keyring/commit/?id=275a696131e41ea4be3d3ddf6690b8bcd0fe0105
[2] https://git.gnome.org/browse/gnome-keyring/commit/?h=gnome-3-28&id=9db67ef6e39ac51d426dee91da3b9305670241e6
[3] https://src.fedoraproject.org/rpms/lightdm/blob/master/f/lightdm.pam
Comment 1 Alexander Tsoy 2018-04-02 10:34:28 UTC 
Created attachment 526314 [details, diff]
pambase-20150213-r1.ebuild.patch
Comment 2 Leho Kraav (:macmaN @lkraav) 2018-07-18 07:44:44 UTC 
Thanks for the investigation work.

Who needs to approve what to get to the next step here?

Would be nice to maybe have a masked ebuild in the tree or overlay for easier testing on a wider surface?
Comment 3 Pavel 2018-07-25 12:27:18 UTC 
I'm very supportive of this undertaking. Every few month there is a bug like: "pam change A,B and C break gnome-keyring"

What if we make an another PAM config called, say, "xsession_session" and shove all gnome/systemd specific PAM configs there? This way, desktop manager maintainers don't have to think anything about specific polkit/consolekit/systemd/elogind setup a user have.
Comment 4 Pacho Ramos gentoo-dev 2018-09-23 16:46:40 UTC 
[master fadc9f49e11f] sys-auth/pambase: Fix gnome-keyring (#652194 by Alexander Tsoy)
 1 file changed, 106 insertions(+)
 create mode 100644 sys-auth/pambase/pambase-20150213-r2.ebuild
Comment 5 cyrillic 2018-09-23 19:21:21 UTC 
(In reply to Pacho Ramos from comment #4)

>  1 file changed, 106 insertions(+)


It would be good to upload the patch also :)
Comment 6 Pacho Ramos gentoo-dev 2018-09-23 19:34:52 UTC 
oh yes :S
[master 669c574f742d] sys-auth/pambase: Commit forgotten patch
 1 file changed, 48 insertions(+)
 create mode 100644 sys-auth/pambase/files/pambase-20150213-gnome-keyring.patch