After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 781486 - Password is kept in process memory after pam_open_session
Password is kept in process memory after pam_open_session
Product: gnome-keyring
Classification: Core
Component: pam
git master
Other Linux
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on:
Reported: 2017-04-19 08:19 UTC by Nicolas Iooss
Modified: 2017-04-27 07:54 UTC
See Also:
GNOME target: ---
GNOME version: ---

0001-pam-Destroy-the-password-in-pam_sm_open_session.patch (1.44 KB, patch)
2017-04-19 08:19 UTC, Nicolas Iooss
none Details | Review

Description Nicolas Iooss 2017-04-19 08:19:25 UTC
Created attachment 350049 [details] [review]

gnome-keyring PAM module saves the password of the user in a blob associated with a PAM handle, using pam_set_data (ph, "gkr_system_authtok"...) in stash_password_for_session ( This data is kept in the process memory once the PAM session is opened, which allows root user to read it, for example using gcore.

For example on an up-to-date XUbuntu 16.04 virtual machine with a user named "user", the password appears in the memory of "lightdm --session-child ...":

    user@xubuntuvm:~/Desktop$ ps -ef |grep 'lightdm --session-child'
    root      2330   934  0 09:32 ?        00:00:00 lightdm --session-child 12 19
    user      2702  2680  0 09:33 pts/6    00:00:00 grep --color=auto lightdm --session-child

    user@xubuntuvm:~/Desktop$ sudo gcore 2330
    Saved corefile core.2330

    user@xubuntuvm:~/Desktop$ strings core.2330 |grep -C3 MySecretPassword
    # Moxa Intellio serial

This password leakage/recovery has recently been instrumented with tools such as mimipenguin ( and

As the password in "gkr_system_authtok" is only used when opening a session, which happens before lightdm's session-child process forks to the user session (line 568 of function session_child_run in, destroying the password in pam_sm_open_session implementation is possible and fixes this issue. If this suits you, please find attached a patch doing this.
Comment 1 Stef Walter 2017-04-20 08:43:55 UTC
The patch makes sense. I'm going to test it out locally for a bit, before merging it.
Comment 2 Stef Walter 2017-04-27 07:54:35 UTC
Thanks Merged into git master.