GNOME Bugzilla – Bug 690466
gnome_keyring_lock_all_sync() does not lock the keyring
Last modified: 2019-02-22 11:45:58 UTC
Created attachment 231849 [details] Example program to lock gnome keyring When I call gnome_keyring_lock_all_sync() from a program, GNOME_KEYRING_RESULT_OK is returned, but the keyring is not locked. Looking at the source code for the daemon, the problem appears to be here: http://git.gnome.org/browse/gnome-keyring/tree/daemon/dbus/gkd-secret-service.c#n486 The library calls this service here: http://git.gnome.org/browse/libgnome-keyring/tree/library/gnome-keyring.c#n871 This method (LockService) does not appear in the freedesktop secret service api. Steps to Reproduce: I have attached a sample program that tests this: Compile: gcc locktest.c -o locktest [followed by the output of 'pkg-config --libs --cflags gnome-keyring-1'] Open seahorse and unlock a keyring. Then run the program that should lock the keyring. After reopening seahorse, the keyring is still unlocked. Actual Results: The keyring remains unlocked. Expected Results: The keyring is locked after the function call. Platform: I have tested this on Ubuntu 12.04 (gnome-keyring 3.2), Fedora 17 (gnome-keyring 3.4), and CentOS 6.3 (GNOME 2.28). It works properly on CentOS, but does not lock on Ubuntu and Fedora. The change (from socket to DBus) seems to have been made in 2.30. Additional Information: I did find a method that works to lock the keyring: https://github.com/nougad/ruby-dbus-gnome-keyring-playground/blob/master/lock-keyring.rb
This was assigned a security identifier (CVE-2012-6111): http://www.openwall.com/lists/oss-security/2013/01/11/5
do we know of any applications that use this api ?
Can't find any in GNOME. In addition libgnome-keyring is being replaced by libsecret. [stef@localhost jhbuild]$ grep -R gnome_keyring_lock_all_sync * gnome-keyring/ChangeLog.old: (gnome_keyring_lock_all_sync), (gnome_keyring_create_sync), gnome-keyring/ChangeLog.old: (gnome_keyring_lock_all_sync), (gnome_keyring_create_sync), libgnome-keyring/library/.libs/libgnome-keyring.ver:gnome_keyring_lock_all_sync; libgnome-keyring/library/.libs/libgnome-keyring.exp:gnome_keyring_lock_all_sync libgnome-keyring/library/GnomeKeyring-1.0.gir:For a synchronous version of this function see gnome_keyring_lock_all_sync().</doc> libgnome-keyring/library/GnomeKeyring-1.0.gir: <function name="lock_all_sync" c:identifier="gnome_keyring_lock_all_sync"> libgnome-keyring/library/gnome-keyring.h:GnomeKeyringResult gnome_keyring_lock_all_sync (void); libgnome-keyring/library/gnome-keyring.c: * For a synchronous version of this function see gnome_keyring_lock_all_sync(). libgnome-keyring/library/gnome-keyring.c: * gnome_keyring_lock_all_sync: libgnome-keyring/library/gnome-keyring.c:gnome_keyring_lock_all_sync (void) libgnome-keyring/docs/reference/gnome-keyring/gnome-keyring-sections.txt:gnome_keyring_lock_all_sync libsecret/docs/reference/libsecret/migrating-libgnome-keyring.xml: <entry>gnome_keyring_lock_all_sync()</entry> vala/vapi/packages/gnome-keyring-1/gnome-keyring-1.gi: <function name="lock_all_sync" symbol="gnome_keyring_lock_all_sync"> Although I agree this should be fixed.
(In reply to comment #2) > do we know of any applications that use this api ? GNOME power manager in GNOME 2.32 used this to lock the keyring before sleep/hibernate. Is the gnome-settings-daemon power plugin (the replacement for g-p-m) supposed to lock the keyring before sleep/hibernate? (I couldn't find any keyring usage in its code in git.)
Created attachment 242678 [details] [review] Fix implementation of LockService dbus method This prevented gnome_keyring_lock_all() in libgnome-keyring from working as expected.
Comment on attachment 242678 [details] [review] Fix implementation of LockService dbus method Attachment 242678 [details] pushed as b570ac7 - Fix implementation of LockService dbus method Pushed to git master for further testing. Will backport to previous branches.
Backported to gnome-3-6 gnome-3-8.