GNOME Bugzilla – Bug 659402
daemon does not drop privs when running setuid
Last modified: 2011-09-19 07:17:14 UTC
Hi. Since the introduction of libcapng support and particularly after this commit: 66bd5dd32836a770647b8acf3476fb7922be71eb gnome-keyrin-daemon is broken on OpenBSD. The reason is that we do not support filesystem capabilities, so the daemon is installed setuid root. However with the aforementioned commit, the drop_privileges() function got removed so the daemon does not drop its privileges back to the calling user. Then of course, DBus refuses the connection to the user socket. At least that's how I analyze it (I may have overlooked something). For now, I've removed the setuid bit from gnome-keyring-daemon and it seems to work fine (side note: we do not use the PAM module either). I'm not providing a patch because I'm not sure what your preferred solution would be in that case, but if you have any input I'll be glad to provide you with one. Thanks.
Thanks for catching that. I've pushed a patch to gnome-keyring master since we're very close to hard code freeze. The patch the chmod +s (which was there for when capabilities are not available).
*** Bug 658927 has been marked as a duplicate of this bug. ***