rpms/gnome-keyring/devel gnome-keyring-2.20-selinux-pam.patch, NONE, 1.1 gnome-keyring.spec, 1.58, 1.59

Alexander Larsson (alexl) fedora-extras-commits at redhat.com
Fri Oct 5 09:12:52 UTC 2007 

Author: alexl

Update of /cvs/pkgs/rpms/gnome-keyring/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv457

Modified Files:
	gnome-keyring.spec 
Added Files:
	gnome-keyring-2.20-selinux-pam.patch 
Log Message:
* Thu Oct  4 2007 Alexander Larsson <alexl at redhat.com> - 2.20-4
- Have the pam module tell the daemon to init the login keyring 
  without using the socket as selinux limits access to that


gnome-keyring-2.20-selinux-pam.patch:

--- NEW FILE gnome-keyring-2.20-selinux-pam.patch ---
diff -ur gnome-keyring-2.20.orig/daemon/gkr-daemon.c gnome-keyring-2.20/daemon/gkr-daemon.c
--- gnome-keyring-2.20.orig/daemon/gkr-daemon.c	2007-10-05 12:40:28.000000000 +0200
+++ gnome-keyring-2.20/daemon/gkr-daemon.c	2007-10-05 12:55:26.000000000 +0200
@@ -27,6 +27,7 @@
 #include "common/gkr-async.h"
 #include "common/gkr-cleanup.h"
 #include "common/gkr-unix-signal.h"
+#include "common/gkr-location.h"
 
 #include "keyrings/gkr-keyrings.h"
 
@@ -183,6 +184,10 @@
 	GIOChannel *channel;
 	GMainContext *ctx;
 	int i;
+	gboolean login;
+	char *login_password;
+	int len;
+	GkrKeyring *login_keyring;
 	
 	g_type_init ();
 	g_thread_init (NULL);
@@ -211,6 +216,7 @@
 
 	foreground = FALSE;
 	daemon = FALSE;
+	login = FALSE;
 
 	if (argc > 1) {
 		for (i = 1; i < argc; i++) {
@@ -218,8 +224,19 @@
 				foreground = TRUE;
 			if (strcmp (argv[i], "-d") == 0)
 				daemon = TRUE;
+			if (strcmp (argv[i], "--login") == 0)
+				login = TRUE;
 		}
 	}
+
+	login_password = NULL;
+	if (login) {
+		login_password = gnome_keyring_memory_alloc (256);
+		fgets (login_password, 256, stdin);
+		len = strlen (login_password);
+		if (login_password[len-1] == '\n')
+			login_password[len-1] = 0;
+	}
 	
 	if (!foreground) {
 		pid = fork ();
@@ -315,6 +332,27 @@
 		gkr_daemon_dbus_setup (loop, path);
 #endif
 
+
+	if (login_password) {
+		login_keyring = gkr_keyrings_get_login ();
+		if (login_keyring) {
+			if (!gkr_keyring_unlock (login_keyring,
+						 login_password)) {
+				g_warning ("Failed to unlock login keyring");
+			}
+		} else {
+			login_keyring =
+				gkr_keyring_create (GKR_LOCATION_BASE_LOCAL,
+						    "login", 
+						    login_password);
+			if (login_keyring) {
+				gkr_keyrings_add (login_keyring);
+				g_object_unref (login_keyring);
+			}
+		}
+		gnome_keyring_memory_free (login_password);
+	}
+	
 	g_main_loop_run (loop);
 
 	/* Make sure no other threads are running */
diff -ur gnome-keyring-2.20.orig/pam/gkr-pam-module.c gnome-keyring-2.20/pam/gkr-pam-module.c
--- gnome-keyring-2.20.orig/pam/gkr-pam-module.c	2007-10-05 12:40:28.000000000 +0200
+++ gnome-keyring-2.20/pam/gkr-pam-module.c	2007-10-05 12:42:05.000000000 +0200
@@ -249,15 +249,20 @@
 }
 
 static void
-setup_child (int outp[2], int errp[2], struct passwd *pwd)
+setup_child (int inp[2], int outp[2], int errp[2], struct passwd *pwd, const char *password)
 {
-	char *args[] = { GNOME_KEYRING_DAEMON, "-d", NULL};
-	
+	char *args[] = { GNOME_KEYRING_DAEMON, "-d", "--login", NULL};
+
 	assert (pwd);
 	assert (pwd->pw_dir);
-	
+
+	/* If no password, don't pas in --login */
+	if (password == NULL)
+		args[2] = NULL;
+
 	/* Fix up our end of the pipes */
-	if (dup2 (outp[WRITE_END], STDOUT) < 0 || 
+	if (dup2 (inp[READ_END], STDIN) < 0 ||
+	    dup2 (outp[WRITE_END], STDOUT) < 0 || 
 	    dup2 (errp[WRITE_END], STDERR) < 0) {
 	    	syslog (GKR_LOG_ERR, "gkr-pam: couldn't setup pipes: %s",
 		        strerror (errno));
@@ -265,6 +270,8 @@
 	}
 	    
 	/* Close unnecessary file descriptors */
+	close (inp[READ_END]);
+	close (inp[WRITE_END]);
 	close (outp[READ_END]);
 	close (outp[WRITE_END]);
 	close (errp[READ_END]);
@@ -348,9 +355,10 @@
 }
 
 static int
-start_daemon (pam_handle_t *ph, struct passwd *pwd)
+start_daemon (pam_handle_t *ph, struct passwd *pwd, const char *password)
 {
 	struct sigaction defsact, oldsact;
+	int inp[2] = { -1, -1 };
 	int outp[2] = { -1, -1 };
 	int errp[2] = { -1, -1 };
 	int ret = PAM_SERVICE_ERR;
@@ -372,7 +380,7 @@
 	sigaction (SIGCHLD, &defsact, &oldsact);
 	
 	/* Create the necessary pipes */
-	if (pipe (outp) < 0 || pipe (errp) < 0) {
+	if (pipe (inp) < 0 || pipe (outp) < 0 || pipe (errp) < 0) {
 	    	syslog (GKR_LOG_ERR, "gkr-pam: couldn't create pipes: %s", 
 	    	        strerror (errno));
 	    	goto done;
@@ -387,7 +395,7 @@
 		
 	/* This is the child */
 	case 0:
-		setup_child (outp, errp, pwd);
+		setup_child (inp, outp, errp, pwd, password);
 		/* Should never be reached */
 		break;
 		
@@ -397,9 +405,16 @@
 	};
 	
 	/* Close our unneeded ends of the pipes */
+	close (inp[READ_END]);
 	close (outp[WRITE_END]);
 	close (errp[WRITE_END]);
-	outp[WRITE_END] = errp[WRITE_END] = -1; 
+	inp[READ_END] = outp[WRITE_END] = errp[WRITE_END] = -1; 
+
+	if (password) {
+		/* Write the login keyring password */
+		write (inp[WRITE_END], password, strlen (password));
+		write (inp[WRITE_END], "\n", 1);
+	}
 	
 	/* 
 	 * Note that we're not using select() or any such. We know how the 
@@ -438,6 +453,8 @@
 	/* Restore old handler */
 	sigaction (SIGCHLD, &oldsact, NULL);
 	
+	close_safe (inp[0]);
+	close_safe (inp[1]);
 	close_safe (outp[0]);
 	close_safe (outp[1]);
 	close_safe (errp[0]);
@@ -450,7 +467,7 @@
 }
 
 static int
-start_daemon_if_necessary (pam_handle_t *ph, struct passwd *pwd)
+start_daemon_if_necessary (pam_handle_t *ph, struct passwd *pwd, const char *password)
 {
 	const char *socket;
 	int ret;
@@ -470,7 +487,7 @@
 	}
 
 	/* Not running, start process */
-	return start_daemon (ph, pwd);
+	return start_daemon (ph, pwd, password);
 }
 
 static int
@@ -691,6 +708,7 @@
 	struct passwd *pwd;
 	const char *user, *password;
 	const char *socket;
+	int started_daemon;
 	uint args;
 	int ret;
 	
@@ -728,9 +746,11 @@
 	}
 
 
+	started_daemon = 0;
 	/* Should we start the daemon? */
 	if (args & ARG_AUTO_START) {
-		ret = start_daemon_if_necessary (ph, pwd);
+		started_daemon = 1;
+		ret = start_daemon_if_necessary (ph, pwd, password);
 		if (ret != PAM_SUCCESS)
 			return ret;
 	}
@@ -739,10 +759,12 @@
 
 	/* If gnome keyring is running, then unlock now */
 	if (socket) {
-		ret = unlock_keyring (ph, pwd, password);
-		if (ret != PAM_SUCCESS)
-			return ret;
-			
+		/* If we started the daemon, its already unlocked, since we passed the password */
+		if (!started_daemon) {
+			ret = unlock_keyring (ph, pwd, password);
+			if (ret != PAM_SUCCESS)
+				return ret;
+		}
 	/* Otherwise start in open session, store password */
 	} else {
 		if (pam_set_data (ph, "gkr_system_authtok", strdup (password),
@@ -762,6 +784,7 @@
 	struct passwd *pwd;
 	int ret;
 	uint args = parse_args (argc, argv);
+	int started_daemon;
 
 	/* Figure out the user name */
 	ret = pam_get_user (ph, &user, NULL);
@@ -777,29 +800,32 @@
 		return PAM_SERVICE_ERR;
 	}
 
-	/* Should we start the daemon? */
-	if (args & ARG_AUTO_START) {
-		ret = start_daemon_if_necessary (ph, pwd);
-		if (ret != PAM_SUCCESS)
-			return ret;
-	}
-
 	/* Get the stored authtok here */
 	if (pam_get_data (ph, "gkr_system_authtok", (const void**)&password) != PAM_SUCCESS) {
-		
 		/* 
 		 * No password, no worries, maybe this (PAM using) application 
 		 * didn't do authentication, or is hopeless and wants to call 
 		 * different PAM callbacks from different processes.
 		 * 
 		 * No use complaining
-		 */ 
-		return PAM_SUCCESS;
+		 */
+		password = NULL;
 	}
 	
-	if (unlock_keyring (ph, pwd, password) != PAM_SUCCESS)
-		return PAM_SERVICE_ERR;
+	started_daemon = 0;
+	/* Should we start the daemon? */
+	if (args & ARG_AUTO_START) {
+		started_daemon = 1;
+		ret = start_daemon_if_necessary (ph, pwd, password);
+		if (ret != PAM_SUCCESS)
+			return ret;
+	}
 
+	if (!started_daemon && password != NULL) {
+		if (unlock_keyring (ph, pwd, password) != PAM_SUCCESS)
+			return PAM_SERVICE_ERR;
+	}
+	
 	return PAM_SUCCESS;
 }
 
@@ -897,7 +923,7 @@
 	 * argument. Because if the password is being changed, then making 
 	 * the 'login' keyring match it is a priority. 
 	 */
-	ret = start_daemon_if_necessary (ph, pwd);
+	ret = start_daemon_if_necessary (ph, pwd, password);
 	if (ret != PAM_SUCCESS)
 		return ret;
 	


Index: gnome-keyring.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gnome-keyring/devel/gnome-keyring.spec,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- gnome-keyring.spec	4 Oct 2007 06:48:12 -0000	1.58
+++ gnome-keyring.spec	5 Oct 2007 09:12:19 -0000	1.59
@@ -3,7 +3,7 @@
 Summary: A framework for managing user passwords and other secrets
 Name: gnome-keyring
 Version: 2.20
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Libraries
 Source: http://download.gnome.org/sources/gnome-keyring/2.20/gnome-keyring-%{version}.tar.bz2
@@ -23,6 +23,7 @@
 Patch1:    gnome-keyring-2.20-add_new_keyrings.patch
 Patch2:    gnome-keyring-2.20-no-unset-default.patch
 Patch3:    gnome-keyring-2.20-no_match.patch
+Patch4:    gnome-keyring-2.20-selinux-pam.patch
 
 %description
 gnome-keyring manages passwords and other types of secrets
@@ -65,6 +66,7 @@
 %patch1 -p0 -b .add_new_keyrings
 %patch2 -p1 -b .no_unset_default
 %patch3 -p0 -b .no_match
+%patch4 -p1 -b .selinux_pam
 
 %build
 aclocal
@@ -111,6 +113,10 @@
 
 
 %changelog
+* Thu Oct  4 2007 Alexander Larsson <alexl at redhat.com> - 2.20-4
+- Have the pam module tell the daemon to init the login keyring 
+  without using the socket as selinux limits access to that
+
 * Thu Oct  4 2007 Alexander Larsson <alexl at redhat.com> - 2.20-3
 - Add NO_MATCH error patch from svn. Will fix apps that
   can't handle empty list matches

More information about the fedora-extras-commits mailing list