Bug 612977 - session keyring is stored to disk
session keyring is stored to disk
Status: RESOLVED FIXED
Product: gnome-keyring
Classification: Core
Component: keyring files
2.29.x
Other Linux
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2010-03-15 20:41 UTC by Kees Cook
Modified: 2010-03-20 02:23 UTC (History)
2 users (show)

See Also:
GNOME target: 2.30.x
GNOME version: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kees Cook 2010-03-15 20:41:55 UTC 
The session keyring should never hit disk.  (http://library.gnome.org/devel/platform-overview/stable/keyring.html.en: "The keyring manager also provides a session keyring. Items in the session keyring are never stored on disk, and are lost as soon as the user's session ends. The session keyring can be used to store passwords to be used in the current session only.").

This has regressed in 2.29, unfortunately.  2.28 and earlier correctly never wrote the session keyring to disk.  In 2.29, the keyring is written to disk, leaving passwords in the clear.  :(

https://launchpad.net/bugs/539180
Comment 1 Sebastien Bacher 2010-03-15 21:43:19 UTC 
Setting target to 2.30 since that seems a security issue...
Comment 2 Stef Walter 2010-03-20 02:23:03 UTC 
Thanks for catching that. Nasty issue.

commit d30630070b2e7f6173ea872f45bb47b70948e796
Author: Stef Walter <stef@memberwebs.com>
Date:   Sat Mar 20 02:19:44 2010 +0000

    [secret-store] Don't save session keyring to disk.
    
    There was a major problem where the session keyring was being saved
    to disk, and since it had to master password, as a cleartext keyring
    
    Mark the session keyring as transient so it doesn't even come near
    the storage code. Also rework the collection storage code, so that
    it properly handles various corner cases.
    
    Fixes bug #612977
Note You need to log in before you can comment on or make changes to this bug.