[Bug 755603] New: The gnome keyring socket is not owned with the same credentials as the user login
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c0
Summary: The gnome keyring socket is not owned with the same credentials as the user login Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: mvyskocil@suse.com QAContact: qa-bugs@suse.de CC: vuntz@suse.com, vcizek@suse.com Found By: Development Blocker: ---
Created an attachment (id=484752) --> (http://bugzilla.novell.com/attachment.cgi?id=484752) copy the credential checking code from git.gnome.org
Running command via sudo fills my log errors as appears in $SUBJECT
$ sudo ls Password: xxxx
and then log contains following
Apr 4 10:20:01 zelva sudo: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/mvyskocil/keyring-5MIqXs/control Apr 4 10:20:01 zelva sudo: gkr-pam: couldn't unlock the login keyring. Apr 4 10:20:01 zelva sudo: mvyskocil : TTY=pts/5 ; PWD=/home/mvyskocil ; USER=root ; COMMAND=/usr/bin/ls Apr 4 10:20:01 zelva systemd[1]: Got D-Bus request: org.freedesktop.DBus.NameOwnerChanged() on /org/freedesktop/DBus
However that's not true
$ echo $GNOME_KEYRING_CONTROL /run/user/mvyskocil/keyring-5MIqXs
$ ls -n $GNOME_KEYRING_CONTROL/* srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/control srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/gpg srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/pkcs11 srwxr-xr-x 1 10112 100 0 4. dub 09.33 /run/user/mvyskocil/keyring-5MIqXs/ssh
$ id uid=10112(mvyskocil) gid=100(users) groups=100(users),10(wheel),33(video),41(xok),113(vboxusers),404(lighttpd),1194(vpn) $ id -u 10112 $ id -ru 10112
so the 10112 is my *real* id and keyring sockets are really owned by this id.
$ cat /proc/$GNOME_KEYRING_PID/loginuid 10112
and even the process runs with the same uid, so there is really **no** surprise in my configuration. I did a bit more and copy the part of gnome-keyring-daemon, however even getsockopt returns the id 10112, like getuid does.
$ ./creds uid=10112, geteuid()=10112
I would say the best way to debug would be patch gnome-keyring-daemon and print the values of uid and getuid on error, but I haven't a time to do that yet.
BTW: as google returns most of suse related things for $SUBJ, I suspect some misconfiguration in our pam stack.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c1
--- Comment #1 from Vincent Untz vuntz@suse.com 2012-04-04 08:52:44 UTC --- The issue is that the GNOME_KEYRING_CONTROL environment variable is set, and when the pam modules are run because of opening a session, the pam_gnome_keyring module sees it and therefore tries to unlock the keyring.
But since it's set for your user, but it's trying to unlock it for root (because you run sudo, so we open a session for root), it fails.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c2
--- Comment #2 from Vincent Untz vuntz@suse.com 2012-04-04 08:57:38 UTC --- (Hrm, it might be during pam auth, not during pam session: the keyring can be unlocked at both times)
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c3
Vincent Untz vuntz@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gber@opensuse.org
--- Comment #3 from Vincent Untz vuntz@suse.com 2012-04-04 09:06:46 UTC --- Changing /etc/pam.d/common-auth to have:
auth optional pam_gnome_keyring.so only_if=gdm,gdm-password,lxdm,lightdm
instead of just:
auth optional pam_gnome_keyring.so
removes the warning.
However, this breaks the use case where we want the keyring to be unlocked when unlocking the screensaver. So we need to at least add gnome-screensaver to the only_if. I don't know what services are used to authenticate when unlocking a screensaver on xfce and lxde. Guido, do you know?
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c4
--- Comment #4 from Guido Berhörster gber@opensuse.org 2012-04-04 09:29:01 UTC --- (In reply to comment #3)
unlocking the screensaver. So we need to at least add gnome-screensaver to the only_if. I don't know what services are used to authenticate when unlocking a screensaver on xfce and lxde. Guido, do you know?
Xfce/LXDE use xscreensaver by default whose pam service name is also "xscreensaver".
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c5
Vincent Untz vuntz@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |mc@suse.com
--- Comment #5 from Vincent Untz vuntz@suse.com 2012-04-04 10:13:20 UTC --- Hrm, I'm unsure it's possible to make pam-config understand different options for auth and session :/
Michael, any hint on this? I'd like pam-config to output:
session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm auth optional pam_gnome_keyring.so only_if=gdm,gdm-password,lxdm,lightdm,gnome-screensaver,xscreensaver
Our current pam-config call is: pam-config -a --gnome_keyring --gnome_keyring-auto_start --gnome_keyring-only_if=gdm,gdm-password,lxdm,lightdm
It's important to note that we don't want auto_start in auth. It's probably okay if the only_if option has the same values in session and auth, though.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c6
Michael Calmer mc@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|mc@suse.com |kukuk@suse.com
--- Comment #6 from Michael Calmer mc@suse.com 2012-04-25 08:55:15 UTC --- pam-config maintainer is Thorsten. Better ask him.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c7
Thorsten Kukuk kukuk@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|kukuk@suse.com |
--- Comment #7 from Thorsten Kukuk kukuk@suse.com 2012-04-26 16:35:54 UTC --- Should be possible, somebody needs too look at the code and provide a patch.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c8
Joe Fidler joefidler@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |joefidler@yahoo.com
--- Comment #8 from Joe Fidler joefidler@yahoo.com 2012-04-29 22:47:38 UTC --- I am seeing same error as described above in my logs - bit scary when you first notice it.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c9
Dominique Leuenberger dimstar@opensuse.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |dimstar@opensuse.org InfoProvider| |kukuk@suse.com
--- Comment #9 from Dominique Leuenberger dimstar@opensuse.org 2012-06-20 20:46:52 UTC --- Thorsten,
Do you have any hints / pointers you can give to implement this? I'm assuming you won't have resources anytime soon, then it would be good to at least guide some willing volunteer on opensuse-factory on what needs to be done.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c10
Thorsten Kukuk kukuk@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|kukuk@suse.com |
--- Comment #10 from Thorsten Kukuk kukuk@suse.com 2012-06-21 10:00:43 UTC --- (In reply to comment #9)
Thorsten,
Do you have any hints / pointers you can give to implement this? I'm assuming you won't have resources anytime soon, then it would be good to at least guide some willing volunteer on opensuse-factory on what needs to be done.
Look at the pam-config source code, it's in OBS, especially on mod_pam_gnome_keyring.c, and there at the different switch cases.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c11
Markus Elfring Markus.Elfring@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |Markus.Elfring@web.de
--- Comment #11 from Markus Elfring Markus.Elfring@web.de 2012-07-13 08:50:28 UTC --- (In reply to comment #0)
I stumble also on information like the following on my updated openSUSE 12.1 system.
/dev/doda/var/log/messages: ... Jul 4 14:48:30 Sonne su: The gnome keyring socket is not owned with the same credentials as the user login: /tmp/keyring-LUJ635/control Jul 4 14:48:30 Sonne su: gkr-pam: couldn't unlock the login keyring. Jul 4 14:48:30 Sonne su: (to root) elfring on /dev/pts/1 ...
How are the chances to resolve such difficulties with authorisation processes?
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c12
Andreas Schneider schneider470@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Version|Factory |Final CC| |schneider470@web.de Component|GNOME |Xfce Platform|Other |x86-64 Found By|Development |--- AssignedTo|bnc-team-gnome@forge.provo. |bnc-team-xfce@forge.provo.n |novell.com |ovell.com Product|openSUSE 12.2 |openSUSE 12.3 OS/Version|Other |openSUSE 12.3
--- Comment #12 from Andreas Schneider schneider470@web.de 2013-07-15 12:58:19 UTC --- I am seeing this problem after installing (new) suse 12.3/64 while 12.2/64 worked fine for me.
Using a starter "xdg-su -c thunar" brings up a correct root-window for this application which however is frozen and unusable. It can be closed only after timeout and with a popup "application does not answer".
/var/log/messages tells the same story as given here in the bug report.
I take it this problem has not been solved so far or did I miss something?
Please let me know if you need more information.
https://bugzilla.novell.com/show_bug.cgi?id=755603
https://bugzilla.novell.com/show_bug.cgi?id=755603#c13
Guido Berhörster gber@opensuse.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P5 - None Component|Xfce |GNOME AssignedTo|bnc-team-xfce@forge.provo.n |bnc-team-gnome@forge.provo. |ovell.com |novell.com Severity|Major |Normal
--- Comment #13 from Guido Berhörster gber@opensuse.org 2013-07-15 13:26:30 UTC --- This is a harmless warning that appears every time you use su or sudo and has nothing to do with whatever else you're seeing. Also, don't reassign this, it is a minor issue in gnome-keyring.
http://bugzilla.novell.com/show_bug.cgi?id=755603
Jia Ban Yovan Toh jiabanster@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jiabanster@gmail.com
-
bugzilla_noreply@novell.com