Re: gnome-keyring running daemon without capabilities

From: Stef Walter <stefw gnome org>
To: Peter Volkov <pva gentoo org>
Cc: gnome-keyring-list gnome org
Subject: Re: gnome-keyring running daemon without capabilities
Date: Tue, 16 Jul 2013 16:50:07 +0200

On 16.07.2013 14:39, Peter Volkov wrote:

Hi! Is it possible to run daemon without HAVE_LIBCAPNG?

I've tried to run daemon without libcap-ng, having skd as suid binary,
but neither ssh keys were found in my ssh-agent cache nor pgp keys were
available. Also I saw 

WARNING: gnome-keyring:: couldn't connect to PKCS11

on every attempt to start anyther gkd instance. I've tried to debug and
found that on startup it created .cache/keyring-... files with the
following permissions:

drwx------ 2 root  peter 4096 июл 15 14:46 .cache/keyring-vNdpJF 

and my guess is that this is the reason for this failure
since .cache/keyring-vNdpJF/control is inaccessible for my user (peter)
due to permissions. In any case, once I rebuilt with libcap-ng enabled
everything works.

But now I'm trying to understand:
1. is it bug or gkd is not supposed to run without libcap-ng? Looking at
the code changing uid is supported only through capng_change_id() and
thus I don't see how it is supposed to run without this function?


Looks like a bug dropping the permissions. Could you file one in bugzilla?

2. why every new invocation of gkd starts new process? It could just
print variables of "session" gkd and exit.


Please use 'gnome-keyring-daemon --start' for that.

Cheers,

Stef

References:
- gnome-keyring running daemon without capabilities
  - From: Peter Volkov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]