Stef <stef memberwebs com> writes: > David Smith wrote: >> Stef <stef memberwebs com> writes: >> >>> David Smith wrote: >>>> For implementing PKCS#11 support in the network manager gnome applet >>>> using gnome keyring as the backing store, it's necessary to tell >>>> wpasupplicant the environment variable of GNOME_KEYRING_SOCKET before >>>> loading the gnome keyring PKCS#11 library. This socket will be protected >>>> to the local user, but since wpasupplicant must run as root, it should >>>> be able to access it and indeed it must. >>> Not sure how we plan to address this. gnome-keyring doesn't currently >>> support access by root to its sockets. >> >> Hmm, then this is a critical problem. > > Sadly this would be a difficult thing for gnome-keyring to change > throughout all the code. It currently verifies the uid equals the > current uid in many places throughout the code. If it's a matter of just fixing the code, then that seems easier then finding a way to get wpasupplicant to be able to run as the current user. I think we have to make it so that the PKCS#11 module allows a user's keyring can be harnessed by supplicants running as a different user, as long as the user grants the supplicant sufficient access. - dds
Attachment:
pgp08j3OGGhMA.pgp
Description: PGP signature