[Bug 755603] New: The gnome keyring socket is not owned with the same credentials as the user login

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c0 Summary: The gnome keyring socket is not owned with the same credentials as the user login Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: mvyskocil@suse.com QAContact: qa-bugs@suse.de CC: vuntz@suse.com, vcizek@suse.com Found By: Development Blocker: --- Created an attachment (id=484752) --> (http://bugzilla.novell.com/attachment.cgi?id=484752) copy the credential checking code from git.gnome.org Running command via sudo fills my log errors as appears in $SUBJECT $ sudo ls Password: xxxx and then log contains following Apr 4 10:20:01 zelva sudo: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/mvyskocil/keyring-5MIqXs/control Apr 4 10:20:01 zelva sudo: gkr-pam: couldn't unlock the login keyring. Apr 4 10:20:01 zelva sudo: mvyskocil : TTY=pts/5 ; PWD=/home/mvyskocil ; USER=root ; COMMAND=/usr/bin/ls Apr 4 10:20:01 zelva systemd[1]: Got D-Bus request: org.freedesktop.DBus.NameOwnerChanged() on /org/freedesktop/DBus However that's not true $ echo $GNOME_KEYRING_CONTROL /run/user/mvyskocil/keyring-5MIqXs $ ls -n $GNOME_KEYRING_CONTROL/* srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/control srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/gpg srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/pkcs11 srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/ssh $ id uid=10112(mvyskocil) gid=100(users) groups=100(users),10(wheel),33(video),41(xok),113(vboxusers),404(lighttpd),1194(vpn) $ id -u 10112 $ id -ru 10112 so the 10112 is my *real* id and keyring sockets are really owned by this id. $ cat /proc/$GNOME_KEYRING_PID/loginuid 10112 and even the process runs with the same uid, so there is really **no** surprise in my configuration. I did a bit more and copy the part of gnome-keyring-daemon, however even getsockopt returns the id 10112, like getuid does. $ ./creds uid=10112, geteuid()=10112 I would say the best way to debug would be patch gnome-keyring-daemon and print the values of uid and getuid on error, but I haven't a time to do that yet. BTW: as google returns most of suse related things for $SUBJ, I suspect some misconfiguration in our pam stack. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c1 --- Comment #1 from Vincent Untz <vuntz@suse.com> 2012-04-04 08:52:44 UTC --- The issue is that the GNOME_KEYRING_CONTROL environment variable is set, and when the pam modules are run because of opening a session, the pam_gnome_keyring module sees it and therefore tries to unlock the keyring. But since it's set for your user, but it's trying to unlock it for root (because you run sudo, so we open a session for root), it fails. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c2 --- Comment #2 from Vincent Untz <vuntz@suse.com> 2012-04-04 08:57:38 UTC --- (Hrm, it might be during pam auth, not during pam session: the keyring can be unlocked at both times) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c3 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gber@opensuse.org --- Comment #3 from Vincent Untz <vuntz@suse.com> 2012-04-04 09:06:46 UTC --- Changing /etc/pam.d/common-auth to have: auth optional pam_gnome_keyring.so only_if=gdm,gdm-password,lxdm,lightdm instead of just: auth optional pam_gnome_keyring.so removes the warning. However, this breaks the use case where we want the keyring to be unlocked when unlocking the screensaver. So we need to at least add gnome-screensaver to the only_if. I don't know what services are used to authenticate when unlocking a screensaver on xfce and lxde. Guido, do you know? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c4 --- Comment #4 from Guido Berhörster <gber@opensuse.org> 2012-04-04 09:29:01 UTC --- (In reply to comment #3)
unlocking the screensaver. So we need to at least add gnome-screensaver to the only_if. I don't know what services are used to authenticate when unlocking a screensaver on xfce and lxde. Guido, do you know?
Xfce/LXDE use xscreensaver by default whose pam service name is also "xscreensaver". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c5 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |mc@suse.com --- Comment #5 from Vincent Untz <vuntz@suse.com> 2012-04-04 10:13:20 UTC --- Hrm, I'm unsure it's possible to make pam-config understand different options for auth and session :/ Michael, any hint on this? I'd like pam-config to output: session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm auth optional pam_gnome_keyring.so only_if=gdm,gdm-password,lxdm,lightdm,gnome-screensaver,xscreensaver Our current pam-config call is: pam-config -a --gnome_keyring --gnome_keyring-auto_start --gnome_keyring-only_if=gdm,gdm-password,lxdm,lightdm It's important to note that we don't want auto_start in auth. It's probably okay if the only_if option has the same values in session and auth, though. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c6 Michael Calmer <mc@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|mc@suse.com |kukuk@suse.com --- Comment #6 from Michael Calmer <mc@suse.com> 2012-04-25 08:55:15 UTC --- pam-config maintainer is Thorsten. Better ask him. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c7 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|kukuk@suse.com | --- Comment #7 from Thorsten Kukuk <kukuk@suse.com> 2012-04-26 16:35:54 UTC --- Should be possible, somebody needs too look at the code and provide a patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c8 Joe Fidler <joefidler@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joefidler@yahoo.com --- Comment #8 from Joe Fidler <joefidler@yahoo.com> 2012-04-29 22:47:38 UTC --- I am seeing same error as described above in my logs - bit scary when you first notice it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c9 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |dimstar@opensuse.org InfoProvider| |kukuk@suse.com --- Comment #9 from Dominique Leuenberger <dimstar@opensuse.org> 2012-06-20 20:46:52 UTC --- Thorsten, Do you have any hints / pointers you can give to implement this? I'm assuming you won't have resources anytime soon, then it would be good to at least guide some willing volunteer on opensuse-factory on what needs to be done. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c10 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|kukuk@suse.com | --- Comment #10 from Thorsten Kukuk <kukuk@suse.com> 2012-06-21 10:00:43 UTC --- (In reply to comment #9)
Thorsten,
Do you have any hints / pointers you can give to implement this? I'm assuming you won't have resources anytime soon, then it would be good to at least guide some willing volunteer on opensuse-factory on what needs to be done.
Look at the pam-config source code, it's in OBS, especially on mod_pam_gnome_keyring.c, and there at the different switch cases. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c11 Markus Elfring <Markus.Elfring@web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Markus.Elfring@web.de --- Comment #11 from Markus Elfring <Markus.Elfring@web.de> 2012-07-13 08:50:28 UTC --- (In reply to comment #0) I stumble also on information like the following on my updated openSUSE 12.1 system. /dev/doda/var/log/messages: ... Jul 4 14:48:30 Sonne su: The gnome keyring socket is not owned with the same credentials as the user login: /tmp/keyring-LUJ635/control Jul 4 14:48:30 Sonne su: gkr-pam: couldn't unlock the login keyring. Jul 4 14:48:30 Sonne su: (to root) elfring on /dev/pts/1 ... How are the chances to resolve such difficulties with authorisation processes? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c12 Andreas Schneider <schneider470@web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Version|Factory |Final CC| |schneider470@web.de Component|GNOME |Xfce Platform|Other |x86-64 Found By|Development |--- AssignedTo|bnc-team-gnome@forge.provo. |bnc-team-xfce@forge.provo.n |novell.com |ovell.com Product|openSUSE 12.2 |openSUSE 12.3 OS/Version|Other |openSUSE 12.3 --- Comment #12 from Andreas Schneider <schneider470@web.de> 2013-07-15 12:58:19 UTC --- I am seeing this problem after installing (new) suse 12.3/64 while 12.2/64 worked fine for me. Using a starter "xdg-su -c thunar" brings up a correct root-window for this application which however is frozen and unusable. It can be closed only after timeout and with a popup "application does not answer". /var/log/messages tells the same story as given here in the bug report. I take it this problem has not been solved so far or did I miss something? Please let me know if you need more information. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=755603 https://bugzilla.novell.com/show_bug.cgi?id=755603#c13 Guido Berhörster <gber@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P5 - None Component|Xfce |GNOME AssignedTo|bnc-team-xfce@forge.provo.n |bnc-team-gnome@forge.provo. |ovell.com |novell.com Severity|Major |Normal --- Comment #13 from Guido Berhörster <gber@opensuse.org> 2013-07-15 13:26:30 UTC --- This is a harmless warning that appears every time you use su or sudo and has nothing to do with whatever else you're seeing. Also, don't reassign this, it is a minor issue in gnome-keyring. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=755603 Jia Ban Yovan Toh <jiabanster@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jiabanster@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com