Hello community, here is the log from the commit of package gnome-keyring for openSUSE:Factory checked in at Mon May 9 09:44:07 CEST 2011. -------- --- GNOME/gnome-keyring/gnome-keyring.changes 2011-01-14 14:02:49.000000000 +0100 +++ /mounts/work_src_done/STABLE/gnome-keyring/gnome-keyring.changes 2011-05-06 14:32:18.000000000 +0200 @@ -1,0 +2,127 @@ +Thu May 5 19:57:53 CEST 2011 - vuntz@opensuse.org + +- Handle specific permissions for %{_bindir}/gnome-keyring-daemon: + + Add permissions PreReq. + + Add %set_permissions %{_bindir}/gnome-keyring-daemon to %post. + + Add a %verifyscript scriptlet calling %verify_permissions. +- Do not package %{_bindir}/gnome-keyring-daemon with filesystem + capabilities: the security team will add what is needed via + %set_permissions after a review of the code. +- Drop rpmlintrc file as we don't need it anymore, since we have no + setuid binary nor capabilities. +- Add gnome-keyring-keep-only-ipc_lock.patch: when filesystem + capabilities are used, make sure that we do have ipc_lock and + keep only this one. +- Add gnome-keyring-accept-no-ipc_lock.patch: accept to run without + ipc_lock capability, just print a warning instead of aborting. +- This is part of bnc#682244. + +------------------------------------------------------------------- +Mon May 2 14:01:10 UTC 2011 - fcrozat@novell.com + +- Add gnome-keyring-file-capabilities.patch: Use libcap-ng for file + capabilities (from git, see rh#668831). +- Use libcap-ng-devel BuildRequires instead of libcap-devel +- Add gtk-doc BuildRequires, only needed because of the new patch. +- gnome-keyring-daemon is now using cap_ipc_lock=ep instead of + setuid. + +------------------------------------------------------------------- +Wed Apr 27 09:42:44 UTC 2011 - fcrozat@novell.com + +- Update to version 3.0.1: + + Fix clicking buttons in 'unsafe storage' dialog on GTK+3. + + Build with GTK+3 by default. + + More tests and test fine tuning: --enable-tests=yes/no/full. + + Expand path in gnome-keyring-prompt.desktop properly. + + Implement debug tracing in parts of gcr library. + + Complete documentation in gcr and gck libraries. + + Fix assertions in gcr library during parsing of a stream. + + Build fixes. +- Add gnome-keyring-fix-parallel-build.patch to fix parallel build + (from git). +- Remove libmock-test-module.so in %install, as this is only useful + for tests. + +------------------------------------------------------------------- +Mon Apr 25 13:06:18 CEST 2011 - vuntz@opensuse.org + +- Add the rpmlintrc that was added as workaround until bnc#682244 + is fixed (security review) as a source. + +------------------------------------------------------------------- +Mon Apr 4 13:23:15 UTC 2011 - fcrozat@novell.com + +- Update to version 3.0.0: + + Updated translations. + +------------------------------------------------------------------- +Tue Mar 22 10:12:34 UTC 2011 - fcrozat@novell.com + +- Update to version 2.91.93: + + Use full interface.Property form for CreateCollection and + CreateItem in the DBus API. + + Add deprecated functions for libgcr symbols lost since 2.32.x + + Don't crash when the GPG agent is asked for a passhprase + without a key id. +- Changes from version 2.91.92: + + Don't leak login name from PAM when logging error. + + Also start daemon in XFCE + + Fix inability to save password for other keyrings. + + Build and test fixes. + + Support removal of aliases via the secret service API + + Fix race condition when multiple applications create the + default keyring at the same time. + + Add a desktop file for gnome-keyring-prompt, so the icon shows + up properly in gnome-shell. + + Implement HKDF for transport encryption security. +- Changes from version 2.91.91: + + Fix the certificate details expander when used with GTK+3 + + Calculate the minimum/natural size of the certificate widget + better. + + Fix gnome-keyring-prompt for GTK+3 release. + + Fix problems with the URIs used for trust lookup and storage. + + Pass around a content-type for secrets in the DBus Secret + Service API. + + If DBus couldn't be initialized when starting up the daemon, + try again at a later point. + + Build and testing fixes. + + Remove support for the pkcs11-options file, and wait for a + proper configuration file setup being worked on in p11-kit. + + Add support for --version argument to gnome-keyring-daemon and + gnome-keyring. + + Create necessary directory when storing trust assertion + objects. +- Changes from version 2.91.4: + + gck library loads PKCS#11 modules from /usr/lib/pkcs11 + + PKCS#11 config file in /etc/xdg/pkcs11.conf[.defaults] + + Many ASN.1 encoding fixes. + + Refactor how tests work. + + Install standalone PKCS#11 modules to a consistent location. + + Memory leaks and other bug fixes. + + Allow enumeration of objects in specific PKCS#11 slots as well + as modules. + + Add GcrCertificateChain for building certificate chains. + + Implementation of the initial PKCS#11 Trust Assertions spec. + + Add GcrPkcs11Certificate for looking up certificates in PKCS#11 + modules by issuer. + + Expose gcr functionality for setting which PKCS#11 modules to + use. + + Find the root certificates by default. + + Move to a single header model for libgcr. + + Don't load *.la files when looking for PKCS#11 modules. + + Fixes for GTK+3.0 + + New xdg-store PKCS#11 module with support for storing trust + assertions. + + Rename old user-store to gnome2-store since it stores its data + in old formats in the old .gnome2 location. +- Replace gnome-keyring-autostart-in-xfce.patch with + desktop-file-install calls. Add desktop-file-utils BuildRequires + for this. +- Add support for source service checkout, with %BUILD_FROM_VCS: + + Add gnome-common and gtk-doc BuildRequires. + + Add call to ./autogen.sh. + + Enforce gtk-doc html generation by passing --enable-gtk-doc to + configure. + +------------------------------------------------------------------- @@ -7,0 +135,44 @@ + +------------------------------------------------------------------- +Fri Dec 17 12:06:16 CET 2010 - vuntz@opensuse.org + +- Update to version 2.91.3: + + Shutdown module timer when holding proper mutex. + + Linux capabilities to overcome limits on locked memory. + + Update HACKING with coding style + + Build fixes. +- Changes from version 2.91.2: + + Add timeout if PAM startup doesn't complete shortly. + + Fix login keyring password when it doesn't match unix login. + + Replace gp11-0 with gck in pkgconfig file + + Fix broken dispose of GcrCertificateWidget + + Remove gp11 library. +- Changes from version 2.91.1: + + Fix build problem in gpg-agent. + + Properly distribute pkgconfig file for gck library. + + Better certificate widget in gcr library. + + Add extra debug guard around printing of prompt io. + + Rework how the gcr parser and importer work together. + + More GTK+ 3.0 fixes. +- Changes from version 2.91.0: + + String and punctuation fixes. + + Add libgck library to soon replace libgp11 + + Migrate everything in gnome-keyring to libgp11 + + Fix invalid memory access in PKCS#11 rpc-layer + + Fix race condition in tests +- Move to pkgconfig()-style BuildRequires: + + Old ones: dbus-1-devel, gtk2-devel, libtasn1-devel. + + New ones: dbus-1, glib-2.0, gtk+-3.0, libtasn1. +- Add libcap-devel BuildRequires. +- Rename libgcr0 to libgcr-3_0 after library name change. +- Remove explicit glib2-devel, gtk2-devel, libgp11-devel, + libtasn1-devel Requires in libgcr-devel package: they will be + automatically added the pkgconfig() way. +- Add libgck0, libgck-devel and libgck-modules subpackages, and + remove libgp11-0, libgp11-devel, libgp11-modules. Packaging-wise, + it's mostly like a renaming. Note that we have libgck-modules + with a Obsoletes tag for libgp11-modules since they share the + same files. +- Pass --with-gtk=3.0 instead of --with-gtk=2.0 to configure. +- Stop passing --libexecdir=%{_libexecdir}/gnome-keyring-1 to + configure: this is really not needed. calling whatdependson for head-i586 Old: ---- gnome-keyring-2.32.1.tar.bz2 gnome-keyring-autostart-in-xfce.patch New: ---- gnome-keyring-3.0.1.tar.bz2 gnome-keyring-accept-no-ipc_lock.patch gnome-keyring-file-capabilities.patch gnome-keyring-fix-parallel-build.patch gnome-keyring-keep-only-ipc_lock.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-keyring.spec ++++++ --- /var/tmp/diff_new_pack.VZpV7g/_old 2011-05-09 09:39:35.000000000 +0200 +++ /var/tmp/diff_new_pack.VZpV7g/_new 2011-05-09 09:39:35.000000000 +0200 @@ -19,17 +19,27 @@ Name: gnome-keyring -BuildRequires: dbus-1-devel +BuildRequires: desktop-file-utils BuildRequires: fdupes -BuildRequires: gtk2-devel BuildRequires: intltool +BuildRequires: libcap-ng-devel BuildRequires: libgcrypt-devel -BuildRequires: libtasn1-devel BuildRequires: pam-devel BuildRequires: translation-update-upstream BuildRequires: update-desktop-files -Version: 2.32.1 -Release: 4 +BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(gtk+-3.0) +BuildRequires: pkgconfig(libtasn1) +BuildRequires: ca-certificates +# needed by patch7 +BuildRequires: gtk-doc +%if 0%{?BUILD_FROM_VCS} +BuildRequires: gnome-common +BuildRequires: gtk-doc +%endif +Version: 3.0.1 +Release: 1 Url: http://www.gnome.org/ Group: System/GUI/GNOME License: GPLv2+ ; LGPLv2.1+ @@ -40,9 +50,16 @@ Patch4: gnome-keyring-check-session.patch # PATCH-FIX-OPENSUSE gnome-keyring-pam-auth-prompt-password.patch bnc466732 bgo560488 vuntz@novell.com -- Make the pam module prompt the password in auth, so we can use pam-config. This is a workaround until bnc#477488 is implemented. Patch5: gnome-keyring-pam-auth-prompt-password.patch -# PATCH-FEATURE-OPENSUSE gnome-keyring-autostart-in-xfce.patch gber@opensuse.org -- Fix desktop files so that gnome keyring is autostarted in XFCE sessions as well. -Patch6: gnome-keyring-autostart-in-xfce.patch -Requires: libgp11-modules = %{version} +# PATCH-FIX-UPSTREAM gnome-keyring-fix-parallel-build.patch fcrozat@novell.com -- Fix parallel build (from git) +Patch6: gnome-keyring-fix-parallel-build.patch +# PATCH-FIX-UPSTREAM gnome-keyring-file-capabilities.patch rh668831 fcrozat@novell.com -- Use libcap-ng for file capabilities (from git) +Patch7: gnome-keyring-file-capabilities.patch +# PATCH-FIX-UPSTREAM gnome-keyring-keep-only-ipc_lock.patch bnc#682244 bgo#649560 vuntz@opensuse.org -- Drop fs-based caps other than ipc_lock +Patch8: gnome-keyring-keep-only-ipc_lock.patch +# PATCH-FIX-UPSTREAM gnome-keyring-accept-no-ipc_lock.patch bnc#682244 bgo#649560 vuntz@opensuse.org -- Accept to run if we don't have the ipc_lock cap. Note that this might result in unencrypted sensitive data (like passwords) being written to the disk (in the swap) if we use too much memory. +Patch9: gnome-keyring-accept-no-ipc_lock.patch +PreReq: permissions +Requires: libgck-modules = %{version} Recommends: %{name}-lang Recommends: %{name}-pam # bug437293 @@ -62,24 +79,20 @@ password, and there is also a session keyring which is never stored to disk, but forgotten when the session ends. -%package -n libgcr0 +%package -n libgcr-3-0 License: GPLv2+ ; LGPLv2.1+ Group: System/GUI/GNOME Summary: Library for Crypto UI related task Recommends: %{name} = %{version} -%description -n libgcr0 +%description -n libgcr-3-0 GCR is a library for crypto UI and related tasks. %package -n libgcr-devel License: GPLv2+ ; LGPLv2.1+ Group: Development/Libraries/GNOME Summary: Library for Crypto UI related task - Development Files -Requires: libgcr0 = %{version} -Requires: glib2-devel -Requires: gtk2-devel -Requires: libgp11-devel -Requires: libtasn1-devel +Requires: libgcr-3-0 = %{version} %description -n libgcr-devel The GNOME Keyring is a daemon in the session, similar to ssh-agent, @@ -90,24 +103,23 @@ password, and there is also a session keyring which is never stored to disk, but forgotten when the session ends. -%package -n libgp11-0 +%package -n libgck0 License: GPLv2+ ; LGPLv2.1+ Group: System/GUI/GNOME -Summary: Glib wrapper library for PKCS#11 -Recommends: libgp11-modules = %{version} +Summary: GObject bindings for PKCS#11 +Recommends: libgck-modules = %{version} -%description -n libgp11-0 -GP11 is a wrapper based on GLib implementing the PKCS#11 (Cryptoki) +%description -n libgck0 +GCK is a wrapper based on GLib implementing the PKCS#11 (Cryptoki) interface. -%package -n libgp11-devel +%package -n libgck-devel License: GPLv2+ ; LGPLv2.1+ Group: Development/Libraries/GNOME -Summary: Glib wrapper library for PKCS#11 - Development Files -Requires: libgp11-0 = %{version} -Requires: glib2-devel +Summary: GObject bindings for PKCS#11 - Development Files +Requires: libgck0 = %{version} -%description -n libgp11-devel +%description -n libgck-devel The GNOME Keyring is a daemon in the session, similar to ssh-agent, and other applications can use it to store passwords and other sensitive information. @@ -116,14 +128,17 @@ password, and there is also a session keyring which is never stored to disk, but forgotten when the session ends. -%package -n libgp11-modules +%package -n libgck-modules License: GPLv2+ ; LGPLv2.1+ Group: System/GUI/GNOME Summary: Glib wrapper library for PKCS#11 - Modules -Requires: libgp11-0 = %{version} +Requires: libgck0 = %{version} +# libgp11 used to be the library providing all this. It turns out the +# modules are, as of 2.91.3, installed in the same place +Obsoletes: libgp11-modules < %{version} -%description -n libgp11-modules -GP11 is a wrapper based on GLib implementing the PKCS#11 (Cryptoki) +%description -n libgck-modules +GCK is a wrapper based on GLib implementing the PKCS#11 (Cryptoki) interface. This package contains various PKCS#11 modules, to expose keys and @@ -158,26 +173,41 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 + +%if 0%{?BUILD_FROM_VCS} +[ -x ./autogen.sh ] && NOCONFIGURE=1 ./autogen.sh +%endif %build +# needed by patch7 +libtoolize --force +autoreconf %configure\ - --libexecdir=%{_libexecdir}/gnome-keyring-1\ --enable-pam \ --with-pam-dir=/%{_lib}/security \ --with-root-certs=%{_sysconfdir}/ssl/certs \ - --disable-acl-prompts \ - --with-gtk=2.0 -make %{?jobs:-j%jobs} +%if 0%{?BUILD_FROM_VCS} + --enable-gtk-doc \ +%endif + --with-gtk=3.0 +make %{?jobs:-j%jobs} V=1 %install %makeinstall -%if 0%{?suse_version} <= 1120 -%{__rm} %{buildroot}%{_datadir}/locale/en@shaw/LC_MESSAGES/* -%endif +# we don't want to ship a test module +rm %{buildroot}/%{_libdir}/libmock-test-module.so find %{buildroot} -type f -name "*.la" -delete -print +# XFCE team wants gnome-keyring to work by default. +for i in %{buildroot}%{_sysconfdir}/xdg/autostart/*.desktop ; do + desktop-file-install --dir=%{buildroot}%{_sysconfdir}/xdg/autostart --add-only-show-in=XFCE $i +done %find_lang %{name} %suse_update_desktop_file gnome-keyring-gpg %suse_update_desktop_file gnome-keyring-pkcs11 +%suse_update_desktop_file gnome-keyring-prompt %suse_update_desktop_file gnome-keyring-secrets %suse_update_desktop_file gnome-keyring-ssh %fdupes %{buildroot} @@ -186,18 +216,22 @@ rm -rf %{buildroot} %post +%set_permissions %{_bindir}/gnome-keyring-daemon %glib2_gsettings_schema_post +%verifyscript +%verify_permissions -e %{_bindir}/gnome-keyring-daemon + %postun %glib2_gsettings_schema_postun -%post -n libgcr0 -p /sbin/ldconfig +%post -n libgcr-3-0 -p /sbin/ldconfig -%postun -n libgcr0 -p /sbin/ldconfig +%postun -n libgcr-3-0 -p /sbin/ldconfig -%post -n libgp11-0 -p /sbin/ldconfig +%post -n libgck0 -p /sbin/ldconfig -%postun -n libgp11-0 -p /sbin/ldconfig +%postun -n libgck0 -p /sbin/ldconfig %post pam %{_sbindir}/pam-config -a --gnome_keyring --gnome_keyring-auto_start --gnome_keyring-only_if=gdm,lxdm || true @@ -219,59 +253,68 @@ %files %defattr (-, root, root) %doc AUTHORS ChangeLog COPYING NEWS README -%{_bindir}/* -%{_libexecdir}/gnome-keyring-1/ -%{_libdir}/gnome-keyring/gnome-keyring-pkcs11.so +%{_bindir}/gnome-keyring +%{_bindir}/gnome-keyring-3 +%{_bindir}/gnome-keyring-daemon +%{_libexecdir}/gnome-keyring-prompt +%{_libexecdir}/gnome-keyring-prompt-3 +%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/gnome-keyring-pkcs11.so %{_datadir}/dbus-1/services/org.freedesktop.secrets.service %{_datadir}/dbus-1/services/org.gnome.keyring.service +%dir %{_datadir}/gnome-keyring-3 +%dir %{_datadir}/gnome-keyring-3/ui +%{_datadir}/gnome-keyring-3/ui/gku-prompt.ui # Own the directory since we can't depend on gconf providing them %dir %{_datadir}/GConf %dir %{_datadir}/GConf/gsettings %{_datadir}/GConf/gsettings/org.gnome.crypto.cache.convert %{_datadir}/GConf/gsettings/org.gnome.crypto.pgp.convert +%{_datadir}/applications/gnome-keyring-prompt.desktop %{_datadir}/glib-2.0/schemas/org.gnome.crypto.cache.gschema.xml %{_datadir}/glib-2.0/schemas/org.gnome.crypto.pgp.gschema.xml -%{_datadir}/gnome-keyring/ %{_sysconfdir}/xdg/autostart/*.desktop %files lang -f %{name}.lang -%files -n libgcr0 +%files -n libgcr-3-0 %defattr (-, root, root) -%{_libdir}/libgcr.so.* -%{_datadir}/gcr/ +%{_libdir}/libgcr-3.so.* +%{_datadir}/gcr-3/ %files -n libgcr-devel %defattr (-, root, root) -%{_libdir}/libgcr.so -%{_libdir}/pkgconfig/gcr-0.pc -%{_includedir}/gcr +%{_libdir}/libgcr-3.so +%{_libdir}/pkgconfig/gcr-3.pc +%{_includedir}/gcr-3/ %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/gcr-0/ +%{_datadir}/gtk-doc/html/gcr-3/ -%files -n libgp11-0 +%files -n libgck0 %defattr (-, root, root) -%{_libdir}/libgp11.so.* +%{_libdir}/libgck.so.* %dir %{_libdir}/gnome-keyring %dir %{_libdir}/gnome-keyring/devel -%dir %{_libdir}/gnome-keyring/standalone -%files -n libgp11-devel +%files -n libgck-devel %defattr (-, root, root) -%{_libdir}/libgp11.so -%{_libdir}/pkgconfig/gp11-0.pc -%{_includedir}/gp11 +%{_libdir}/libgck.so +%{_libdir}/pkgconfig/gck-0.pc +%{_includedir}/gck/ %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/gp11/ +%{_datadir}/gtk-doc/html/gck/ -%files -n libgp11-modules +%files -n libgck-modules %defattr (-, root, root) +# Note: if modules move to %%{_libdir}/pkcs11, then we should remove +# the libgp11-modules Obsoletes tag. +%{_libdir}/gnome-keyring/devel/gkm-gnome2-store-standalone.so +%{_libdir}/gnome-keyring/devel/gkm-roots-store-standalone.so +%{_libdir}/gnome-keyring/devel/gkm-secret-store-standalone.so %{_libdir}/gnome-keyring/devel/gkm-ssh-store-standalone.so -%{_libdir}/gnome-keyring/devel/gkm-user-store-standalone.so -%{_libdir}/gnome-keyring/standalone/gkm-roots-store-standalone.so -%{_libdir}/gnome-keyring/standalone/gkm-secret-store-standalone.so +%{_libdir}/gnome-keyring/devel/gkm-xdg-store-standalone.so %files pam %defattr (-, root, root) ++++++ gnome-keyring-2.32.1.tar.bz2 -> gnome-keyring-3.0.1.tar.bz2 ++++++ ++++ 246639 lines of diff (skipped) ++++++ gnome-keyring-accept-no-ipc_lock.patch ++++++
From b0bfc64a35faec9f2127c4fc857ce5be7df75baa Mon Sep 17 00:00:00 2001 From: Vincent Untz <vuntz@gnome.org> Date: Fri, 6 May 2011 14:18:00 +0200 Subject: [PATCH 2/2] Accept to run if ipc_lock capability is not available
We print a warning about potential use of unsecure memory, but still run (and drop unneeded capabilities if we have some). This is better than nothing. --- daemon/gkd-capability.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c index e15200a..92c000c 100644 --- a/daemon/gkd-capability.c +++ b/daemon/gkd-capability.c @@ -42,6 +42,12 @@ early_error (const char *err_string) exit (1); } +static void +early_warning (const char *warn_string) +{ + fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string); +} + #endif /* HAVE_LIPCAPNG */ /* @@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void) early_error ("error getting process capabilities"); break; case CAPNG_NONE: - early_error ("insufficient process capabilities"); + early_warning ("insufficient process capabilities, unsecure memory might get used"); break; case CAPNG_PARTIAL: /* File system based capabilities */ if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { - early_error ("insufficient process capabilities"); + early_warning ("insufficient process capabilities, unsecure memory might get used"); + /* Drop all capabilities */ + capng_clear (CAPNG_SELECT_BOTH); + capng_apply (CAPNG_SELECT_BOTH); break; } -- 1.7.4.2 ++++++ gnome-keyring-file-capabilities.patch ++++++
From 66bd5dd32836a770647b8acf3476fb7922be71eb Mon Sep 17 00:00:00 2001 From: Steve Grubb <sgrubb@redhat.com> Date: Thu, 10 Mar 2011 17:01:35 +0100 Subject: [PATCH] Use file system based capabilities as a way of getting ipc-lock
https://bugzilla.redhat.com/show_bug.cgi?id=668831 --- configure.in | 16 +++--- daemon/gkd-capability.c | 112 +++++++++++++++------------------------------- 2 files changed, 45 insertions(+), 83 deletions(-) diff --git a/configure.in b/configure.in index 8e03c7d..a5a434d 100644 --- a/configure.in +++ b/configure.in @@ -440,19 +440,19 @@ if test "$ASN1PARSER" = "no" ; then fi # ------------------------------------------------------------------- -# libcap2 +# libcap-ng # -AC_CHECK_LIB([cap], [cap_get_proc], have_libcap="yes", have_libcap="no") +AC_CHECK_LIB([cap-ng], [capng_clear], have_libcapng="yes", have_libcapng="no") -if test $have_libcap = yes; then - AC_DEFINE(HAVE_LIBCAP, 1, [Have libcap2 package, libcap library]) - DAEMON_LIBS="$DAEMON_LIBS -lcap" +if test $have_libcapng = yes; then + AC_DEFINE(HAVE_LIBCAPNG, 1, [Have libcap-ng package, libcap-ng library]) + DAEMON_LIBS="$DAEMON_LIBS -lcap-ng" else - AC_MSG_WARN([libcap2 (or development headers) is not installed]) + AC_MSG_WARN([libcap-ng (or development headers) is not installed]) fi -libcap_status=$have_libcap +libcapng_status=$have_libcapng # -------------------------------------------------------------------- # Debug mode @@ -741,7 +741,7 @@ ui/tests/Makefile echo echo "OPTIONAL DEPENDENCIES" echo " PAM: $pam_status" -echo " Linux capabilities: $libcap_status" +echo " Linux capabilities: $libcapng_status" echo echo "CONFIGURATION" echo " SSH Agent: $ssh_status" diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c index 4ca0db1..5b47f4e 100644 --- a/daemon/gkd-capability.c +++ b/daemon/gkd-capability.c @@ -1,7 +1,7 @@ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */ /* gkd-capability.c - the security-critical initial phase of the daemon * - * Copyright (C) 2010 Yaron Sheffer + * Copyright (C) 2011 Steve Grubb * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as @@ -18,102 +18,64 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Author: Yaron Sheffer <yaronf@gmx.com> - * Author: Stef Walter <stef@thewalter.net> + * Author: Steve Grubb <sgrubb@redhat.com> */ #include "config.h" #include "gkd-capability.h" -#ifdef HAVE_LIBCAP -#include <sys/capability.h> +#ifdef HAVE_LIBCAPNG +#include <cap-ng.h> #endif #include <stdio.h> -#include <unistd.h> -#include <sys/types.h> #include <stdlib.h> -/* Security note: this portion of the code is extremely sensitive. - * DO NOT add any other include files. - */ +#ifdef HAVE_LIBCAPNG -/* - * No logging, no gettext - */ +/* No logging, no gettext */ static void early_error (const char *err_string) { - fprintf (stderr, "gnome-keyring-daemon: %s\n", err_string); + fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string); + exit (1); } -static void -drop_privileges (void) -{ - uid_t orig_uid; - gid_t orig_gid; - - orig_uid = getuid (); - orig_gid = getgid (); - - /* This is permanent, you cannot go back to root */ - setgid (orig_gid); - setuid (orig_uid); - - /* - * Check that the switch was ok - * We do not allow programs to run without the drop being - * successful as this would possibly run the program - * using root-privs, when that is not what we want - */ - if ((getegid () != orig_gid) || (geteuid () != orig_uid)) { - early_error ("failed to drop privileges, aborting"); - exit (1); - } -} +#endif /* HAVE_LIPCAPNG */ /* - * Try to obtain the CAP_IPC_LOCK Linux capability. - * Then, whether or not this is successful, drop root - * privileges to run as the invoking user. The application is aborted - * if for any reason we are unable to drop privileges. Note: even gettext - * is unavailable! + * This program needs the CAP_IPC_LOCK posix capability. + * We want to allow either setuid root or file system based capabilies + * to work. If file system based capabilities, this is a no-op unless + * the root user is running the program. In that case we just drop + * capabilities down to IPC_LOCK. If we are setuid root, then change to the + * invoking user retaining just the IPC_LOCK capability. The application + * is aborted if for any reason we are unable to drop privileges. + * Note: even gettext is unavailable! */ void gkd_capability_obtain_capability_and_drop_privileges (void) { -#ifdef HAVE_LIBCAP - cap_t caps; - cap_value_t cap_list[1]; - - caps = cap_get_proc (); - if (caps == NULL) { - early_error ("capability state cannot be allocated"); - goto drop; - } - - cap_list[0] = CAP_IPC_LOCK; - if (cap_set_flag (caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1) { - early_error ("error when manipulating capability sets"); - goto drop; - } - - if (cap_set_proc (caps) == -1) { - /* Only warn when it's root that's running */ - if (getuid () == 0) - early_error ("cannot apply capabilities to process"); - goto drop; +#ifdef HAVE_LIBCAPNG + capng_get_caps_process (); + switch (capng_have_capabilities (CAPNG_SELECT_CAPS)) + { + case CAPNG_FULL: + /* We are either setuid root or the root user */ + capng_clear (CAPNG_SELECT_CAPS); + capng_update (CAPNG_ADD, + CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_IPC_LOCK); + if (capng_change_id (getuid (), getgid (), 0)) + early_error ("failed dropping capabilities"); + break; + case CAPNG_FAIL: + case CAPNG_NONE: + early_error ("error getting process capabilities"); + break; + case CAPNG_PARTIAL: /* File system based capabilities */ + break; } - - if (cap_free (caps) == -1) { - early_error ("failed to free capability structure"); - goto drop; - } -drop: - -#endif - /* Now finally drop the suid by becoming the invoking user */ - if (geteuid () != getuid() || getegid () != getgid ()) - drop_privileges (); +#endif /* HAVE_LIBCAPNG */ } -- 1.7.3.4
From b9d69a5751c421cca2bee9bab78c1067e1d1acac Mon Sep 17 00:00:00 2001 From: Stef Walter <stefw@collabora.co.uk> Date: Wed, 16 Mar 2011 15:26:44 +0100 Subject: [PATCH] If we're using linux capabilities then use setcap instead of setuid.
Only use setuid when not using linux capabilities. Run this on install when we are using caps: setcap cap_ipc_lock=ep $(DESTDIR)$(bindir)/gnome-keyring-daemon --- configure.in | 4 +++- daemon/Makefile.am | 12 ++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/configure.in b/configure.in index a5a434d..c000ed9 100644 --- a/configure.in +++ b/configure.in @@ -445,13 +445,15 @@ fi AC_CHECK_LIB([cap-ng], [capng_clear], have_libcapng="yes", have_libcapng="no") -if test $have_libcapng = yes; then +if test "$have_libcapng" = "yes"; then AC_DEFINE(HAVE_LIBCAPNG, 1, [Have libcap-ng package, libcap-ng library]) DAEMON_LIBS="$DAEMON_LIBS -lcap-ng" else + have_lipcapng="no" AC_MSG_WARN([libcap-ng (or development headers) is not installed]) fi +AM_CONDITIONAL(WITH_CAPS, test "$have_libcapng" = "yes") libcapng_status=$have_libcapng # -------------------------------------------------------------------- diff --git a/daemon/Makefile.am b/daemon/Makefile.am index a6db20f..7ecfe24 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -79,13 +79,21 @@ CLEANFILES = \ $(service_DATA) \ $(desktop_DATA) +if WITH_CAPS + +# Set the relevant capabilities on the daemon +install-exec-hook: + setcap cap_ipc_lock=ep $(DESTDIR)$(bindir)/gnome-keyring-daemon || true + +else # without caps + # The daemon is installed as setuid so as to obtain specialized # capabilities, then immediately drops permissions. In other words, # it does *not* run as setuid. -# If installing as non-root, chown+chmod will not succeed but -# the build will continue. install-exec-hook: chown root $(DESTDIR)$(bindir)/gnome-keyring-daemon || true chmod u+s $(DESTDIR)$(bindir)/gnome-keyring-daemon || true +endif # without caps + @INTLTOOL_DESKTOP_RULE@ -- 1.7.3.4 ++++++ gnome-keyring-fix-parallel-build.patch ++++++
From d914606f8dc4cefd5d128af6f9a566a42f102e87 Mon Sep 17 00:00:00 2001 From: Stef Walter <stefw@collabora.co.uk> Date: Wed, 27 Apr 2011 09:47:51 +0200 Subject: [PATCH] Fix Makefiles so testable libraries are rebuilt when source changes.
--- gck/Makefile.am | 4 ++-- gcr/Makefile.am | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) Index: gnome-keyring-3.0.1/gck/Makefile.am =================================================================== --- gnome-keyring-3.0.1.orig/gck/Makefile.am +++ gnome-keyring-3.0.1/gck/Makefile.am @@ -61,8 +61,8 @@ libgck_testable_la_SOURCES = \ gck-mock.h \ gck-test.c \ gck-test.h -libgck_testable_la_LIBADD = \ - $(libgck_la_OBJECTS) +libgck_testable_la_LIBADD = $(libgck_la_OBJECTS) +libgck_testable_la_DEPENDENCIES = $(libgck_la_OBJECTS) gck-marshal.h: gck-marshal.list $(GLIB_GENMARSHAL) $(GLIB_GENMARSHAL) $< --header --prefix=_gck_marshal > $@ Index: gnome-keyring-3.0.1/gcr/Makefile.am =================================================================== --- gnome-keyring-3.0.1.orig/gcr/Makefile.am +++ gnome-keyring-3.0.1/gcr/Makefile.am @@ -112,6 +112,7 @@ libgcr@GCR_VERSION_SUFFIX@_la_LIBADD = \ noinst_LTLIBRARIES = $(TESTABLE_LIB) libgcr_testable_la_SOURCES = libgcr_testable_la_LIBADD = $(libgcr@GCR_VERSION_SUFFIX@_la_OBJECTS) +libgcr_testable_la_DEPENDENCIES = $(libgcr@GCR_VERSION_SUFFIX@_la_OBJECTS) gcr-marshal.h: gcr-marshal.list $(GLIB_GENMARSHAL) $(GLIB_GENMARSHAL) $< --header --prefix=_gcr_marshal > $@ Index: gnome-keyring-3.0.1/gck/Makefile.in =================================================================== --- gnome-keyring-3.0.1.orig/gck/Makefile.in +++ gnome-keyring-3.0.1/gck/Makefile.in @@ -71,7 +71,6 @@ am__base_list = \ am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(pkgconfigdir)" \ "$(DESTDIR)$(incdir)" LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) -libgck_testable_la_DEPENDENCIES = am_libgck_testable_la_OBJECTS = gck-mock.lo gck-test.lo libgck_testable_la_OBJECTS = $(am_libgck_testable_la_OBJECTS) AM_V_lt = $(am__v_lt_$(V)) @@ -412,9 +411,8 @@ libgck_testable_la_SOURCES = \ gck-test.c \ gck-test.h -libgck_testable_la_LIBADD = \ - $(libgck_la_OBJECTS) - +libgck_testable_la_LIBADD = $(libgck_la_OBJECTS) +libgck_testable_la_DEPENDENCIES = $(libgck_la_OBJECTS) pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = gck-$(GCK_MAJOR).pc EXTRA_DIST = \ Index: gnome-keyring-3.0.1/gcr/Makefile.in =================================================================== --- gnome-keyring-3.0.1.orig/gcr/Makefile.in +++ gnome-keyring-3.0.1/gcr/Makefile.in @@ -71,7 +71,6 @@ am__base_list = \ am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(pkgconfigdir)" \ "$(DESTDIR)$(uidir)" "$(DESTDIR)$(incdir)" LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) -libgcr_testable_la_DEPENDENCIES = am_libgcr_testable_la_OBJECTS = libgcr_testable_la_OBJECTS = $(am_libgcr_testable_la_OBJECTS) AM_V_lt = $(am__v_lt_$(V)) @@ -485,6 +484,7 @@ libgcr@GCR_VERSION_SUFFIX@_la_LIBADD = \ noinst_LTLIBRARIES = $(TESTABLE_LIB) libgcr_testable_la_SOURCES = libgcr_testable_la_LIBADD = $(libgcr@GCR_VERSION_SUFFIX@_la_OBJECTS) +libgcr_testable_la_DEPENDENCIES = $(libgcr@GCR_VERSION_SUFFIX@_la_OBJECTS) pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = gcr-$(GCR_MAJOR).pc ++++++ gnome-keyring-keep-only-ipc_lock.patch ++++++
From fc4f6167447f1fd9f3e0240e68a3480143e4715e Mon Sep 17 00:00:00 2001 From: Vincent Untz <vuntz@gnome.org> Date: Fri, 6 May 2011 14:14:21 +0200 Subject: [PATCH 1/2] Improved checks for fs capabilities, and drop unneeded ones
If we have fs capabilities, we first need to check that we really do have ipc_lock, and if that's the case we just keep ipc_lock and drop everything else. --- daemon/gkd-capability.c | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c index 5b47f4e..e15200a 100644 --- a/daemon/gkd-capability.c +++ b/daemon/gkd-capability.c @@ -71,11 +71,26 @@ gkd_capability_obtain_capability_and_drop_privileges (void) early_error ("failed dropping capabilities"); break; case CAPNG_FAIL: - case CAPNG_NONE: early_error ("error getting process capabilities"); break; + case CAPNG_NONE: + early_error ("insufficient process capabilities"); + break; case CAPNG_PARTIAL: /* File system based capabilities */ - break; + if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { + early_error ("insufficient process capabilities"); + break; + } + + /* Drop all capabilities except ipc_lock */ + capng_clear (CAPNG_SELECT_BOTH); + if (capng_update (CAPNG_ADD, + CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_IPC_LOCK) != 0) + early_error ("error dropping process capabilities"); + if (capng_apply (CAPNG_SELECT_BOTH) != 0) + early_error ("error dropping process capabilities"); + break; } #endif /* HAVE_LIBCAPNG */ } -- 1.7.4.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org