Created attachment 350049 [details] [review]
0001-pam-Destroy-the-password-in-pam_sm_open_session.patch

gnome-keyring PAM module saves the password of the user in a blob associated with a PAM handle, using pam_set_data (ph, "gkr_system_authtok"...) in stash_password_for_session (https://git.gnome.org/browse/gnome-keyring/tree/pam/gkr-pam-module.c?h=3.20.0#n785). This data is kept in the process memory once the PAM session is opened, which allows root user to read it, for example using gcore.

For example on an up-to-date XUbuntu 16.04 virtual machine with a user named "user", the password appears in the memory of "lightdm --session-child ...":

    user@xubuntuvm:~/Desktop$ ps -ef |grep 'lightdm --session-child'
    root      2330   934  0 09:32 ?        00:00:00 lightdm --session-child 12 19
    user      2702  2680  0 09:33 pts/6    00:00:00 grep --color=auto lightdm --session-child

    user@xubuntuvm:~/Desktop$ sudo gcore 2330
    [...]
    Saved corefile core.2330

    user@xubuntuvm:~/Desktop$ strings core.2330 |grep -C3 MySecretPassword
    #...ttyCH63
    # Moxa Intellio serial
    _pammodutil_getspnam_user_2
    MySecretPassword
    gkr_system_authtok
    -UN*X-FAIL-user
    user

This password leakage/recovery has recently been instrumented with tools such as mimipenguin (https://github.com/huntergregal/mimipenguin and https://github.com/n1nj4sec/mimipy).

As the password in "gkr_system_authtok" is only used when opening a session, which happens before lightdm's session-child process forks to the user session (line 568 of function session_child_run in http://bazaar.launchpad.net/~lightdm-team/lightdm/1.20/view/head:/src/session-child.c#L255), destroying the password in pam_sm_open_session implementation is possible and fixes this issue. If this suits you, please find attached a patch doing this.