Compare commits
6 Commits
Author | SHA1 | Date |
---|---|---|
|
6b9c0c198a | |
|
807308f73a | |
|
fcec2f7e94 | |
|
dc8ad988a0 | |
|
b94c021f12 | |
|
b209f28a14 |
|
@ -24,3 +24,5 @@ gnome-keyring-2.31.4.tar.bz2
|
|||
/gnome-keyring-3.3.5.tar.xz
|
||||
/gnome-keyring-3.3.91.tar.xz
|
||||
/gnome-keyring-3.3.92.tar.xz
|
||||
/gnome-keyring-3.4.0.tar.xz
|
||||
/gnome-keyring-3.4.1.tar.xz
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
diff -up gnome-keyring-2.28.1/pam/gkr-pam-module.c.nopass gnome-keyring-2.28.1/pam/gkr-pam-module.c
|
||||
--- gnome-keyring-2.28.1/pam/gkr-pam-module.c.nopass 2009-09-25 21:55:50.000000000 -0400
|
||||
+++ gnome-keyring-2.28.1/pam/gkr-pam-module.c 2009-10-19 11:27:34.000000000 -0400
|
||||
@@ -878,6 +878,7 @@ pam_sm_authenticate (pam_handle_t *ph, i
|
||||
|
||||
started_daemon = 0;
|
||||
|
||||
+
|
||||
/* Should we start the daemon? */
|
||||
if (args & ARG_AUTO_START) {
|
||||
ret = start_daemon_if_necessary (ph, pwd, password, &started_daemon);
|
||||
@@ -944,8 +945,9 @@ pam_sm_open_session (pam_handle_t *ph, i
|
||||
* different PAM callbacks from different processes.
|
||||
*
|
||||
* No use complaining
|
||||
+ * Do not start gnome-keyring, dbus will start it on login.
|
||||
*/
|
||||
- password = NULL;
|
||||
+ return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
started_daemon = 0;
|
|
@ -1,49 +0,0 @@
|
|||
From fd0bf3d36f3295fbc7c6d4bed34e2d2849764e68 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Untz <vuntz@gnome.org>
|
||||
Date: Fri, 6 May 2011 14:14:21 +0200
|
||||
Subject: [PATCH] Improved checks for fs capabilities, and drop unneeded ones
|
||||
|
||||
If we have fs capabilities, we first need to check that we really do
|
||||
have ipc_lock, and if that's the case we just keep ipc_lock and drop
|
||||
everything else.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=649560
|
||||
---
|
||||
daemon/gkd-capability.c | 19 +++++++++++++++++--
|
||||
1 files changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
|
||||
index 5b47f4e..e15200a 100644
|
||||
--- a/daemon/gkd-capability.c
|
||||
+++ b/daemon/gkd-capability.c
|
||||
@@ -71,11 +71,26 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
|
||||
early_error ("failed dropping capabilities");
|
||||
break;
|
||||
case CAPNG_FAIL:
|
||||
- case CAPNG_NONE:
|
||||
early_error ("error getting process capabilities");
|
||||
break;
|
||||
+ case CAPNG_NONE:
|
||||
+ early_error ("insufficient process capabilities");
|
||||
+ break;
|
||||
case CAPNG_PARTIAL: /* File system based capabilities */
|
||||
- break;
|
||||
+ if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
|
||||
+ early_error ("insufficient process capabilities");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* Drop all capabilities except ipc_lock */
|
||||
+ capng_clear (CAPNG_SELECT_BOTH);
|
||||
+ if (capng_update (CAPNG_ADD,
|
||||
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||
+ CAP_IPC_LOCK) != 0)
|
||||
+ early_error ("error dropping process capabilities");
|
||||
+ if (capng_apply (CAPNG_SELECT_BOTH) != 0)
|
||||
+ early_error ("error dropping process capabilities");
|
||||
+ break;
|
||||
}
|
||||
#endif /* HAVE_LIBCAPNG */
|
||||
}
|
||||
--
|
||||
1.7.4.2
|
|
@ -1,50 +0,0 @@
|
|||
From 156f6f318daa782cd209c90ed69a0d24595af5d1 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Untz <vuntz@gnome.org>
|
||||
Date: Fri, 6 May 2011 14:18:00 +0200
|
||||
Subject: [PATCH] Accept to run if ipc_lock capability is not available
|
||||
|
||||
We print a warning about potential use of unsecure memory, but still
|
||||
run (and drop unneeded capabilities if we have some). This is better
|
||||
than nothing.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=649560
|
||||
---
|
||||
daemon/gkd-capability.c | 13 +++++++++++--
|
||||
1 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
|
||||
index e15200a..92c000c 100644
|
||||
--- a/daemon/gkd-capability.c
|
||||
+++ b/daemon/gkd-capability.c
|
||||
@@ -42,6 +42,12 @@ early_error (const char *err_string)
|
||||
exit (1);
|
||||
}
|
||||
|
||||
+static void
|
||||
+early_warning (const char *warn_string)
|
||||
+{
|
||||
+ fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
|
||||
+}
|
||||
+
|
||||
#endif /* HAVE_LIPCAPNG */
|
||||
|
||||
/*
|
||||
@@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
|
||||
early_error ("error getting process capabilities");
|
||||
break;
|
||||
case CAPNG_NONE:
|
||||
- early_error ("insufficient process capabilities");
|
||||
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
|
||||
break;
|
||||
case CAPNG_PARTIAL: /* File system based capabilities */
|
||||
if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
|
||||
- early_error ("insufficient process capabilities");
|
||||
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
|
||||
+ /* Drop all capabilities */
|
||||
+ capng_clear (CAPNG_SELECT_BOTH);
|
||||
+ capng_apply (CAPNG_SELECT_BOTH);
|
||||
break;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.4.2
|
|
@ -0,0 +1,99 @@
|
|||
From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@gnome.org>
|
||||
Date: Wed, 8 Aug 2012 06:06:58 +0200
|
||||
Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
|
||||
|
||||
* So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
|
||||
we use gpg-cache-ttl to control how long the passphrase is cached
|
||||
for.
|
||||
* This is a regression from 3.3.x
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
---
|
||||
daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
|
||||
1 file changed, 25 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
index a0e8731..c8414fe 100644
|
||||
--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
+++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
|
||||
g_free (method);
|
||||
}
|
||||
|
||||
-static void
|
||||
-save_unlock_options (GcrPrompt *prompt)
|
||||
-{
|
||||
- GSettings *settings;
|
||||
-
|
||||
- settings = gkd_gpg_agent_settings ();
|
||||
-
|
||||
- if (gcr_prompt_get_choice_chosen (prompt))
|
||||
- g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
|
||||
-}
|
||||
-
|
||||
static GcrPrompt *
|
||||
open_password_prompt (GckSession *session,
|
||||
const gchar *keyid,
|
||||
@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
|
||||
const gchar *prompt_text, const gchar *description, gboolean confirm)
|
||||
{
|
||||
GckBuilder builder = GCK_BUILDER_INIT;
|
||||
+ GSettings *settings;
|
||||
GckAttributes *attrs;
|
||||
gchar *password = NULL;
|
||||
GcrPrompt *prompt;
|
||||
gboolean chosen;
|
||||
GError *error = NULL;
|
||||
+ gint lifetime;
|
||||
+ gchar *method;
|
||||
|
||||
g_assert (GCK_IS_SESSION (session));
|
||||
|
||||
@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
|
||||
}
|
||||
|
||||
if (password != NULL && keyid != NULL) {
|
||||
+ settings = gkd_gpg_agent_settings ();
|
||||
|
||||
/* Load up the save options */
|
||||
chosen = gcr_prompt_get_choice_chosen (prompt);
|
||||
|
||||
- if (chosen)
|
||||
+ if (chosen) {
|
||||
+ g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
|
||||
gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
|
||||
- else
|
||||
+
|
||||
+ } else {
|
||||
+ method = g_settings_get_string (settings, "gpg-cache-method");
|
||||
+ lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
|
||||
+
|
||||
+ if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
|
||||
+ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
|
||||
+ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
|
||||
+
|
||||
+ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
|
||||
+ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
|
||||
+ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
|
||||
+
|
||||
+ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
|
||||
+ g_message ("Unsupported gpg-cache-method setting: %s", method);
|
||||
+ }
|
||||
+
|
||||
gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
|
||||
+ g_free (method);
|
||||
+ }
|
||||
|
||||
/* Now actually save the password */
|
||||
attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
|
||||
do_save_password (session, keyid, description, password, attrs);
|
||||
gck_attributes_unref (attrs);
|
||||
-
|
||||
- save_unlock_options (prompt);
|
||||
}
|
||||
|
||||
g_clear_object (&prompt);
|
||||
--
|
||||
1.7.11.4
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@gnome.org>
|
||||
Date: Wed, 8 Aug 2012 15:08:22 +0200
|
||||
Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
|
||||
|
||||
* This makes the gpg-agent idle feature work correctly
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
---
|
||||
pkcs11/secret-store/gkm-secret-item.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
|
||||
index d03c4a8..15791a9 100644
|
||||
--- a/pkcs11/secret-store/gkm-secret-item.c
|
||||
+++ b/pkcs11/secret-store/gkm-secret-item.c
|
||||
@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
|
||||
identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
|
||||
secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
|
||||
rv = gkm_attribute_set_data (attr, secret, n_secret);
|
||||
+ gkm_object_mark_used (base);
|
||||
g_object_unref (sdata);
|
||||
return rv;
|
||||
|
||||
--
|
||||
1.7.11.4
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From 370694b36f1ed6f26554ccc740da3b3e92aafded Mon Sep 17 00:00:00 2001
|
||||
From: Rex Dieter <rdieter@fedoraproject.org>
|
||||
Date: Fri, 17 Aug 2012 08:52:25 -0500
|
||||
Subject: [PATCH] only print debug message if no pkcs11 socket
|
||||
|
||||
This is to handle the case of running gnome-keyring in environments
|
||||
not matching GNOME;Unity and avoid needless
|
||||
WARNING: couldn't connect to: /tmp/keyring-SqfLpI/pkcs11
|
||||
type errors
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=665961
|
||||
---
|
||||
pkcs11/rpc-layer/gkm-rpc-module.c | 18 ++++++++++++++++--
|
||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/pkcs11/rpc-layer/gkm-rpc-module.c b/pkcs11/rpc-layer/gkm-rpc-module.c
|
||||
index 240fd83..1b11d96 100644
|
||||
--- a/pkcs11/rpc-layer/gkm-rpc-module.c
|
||||
+++ b/pkcs11/rpc-layer/gkm-rpc-module.c
|
||||
@@ -251,8 +251,13 @@ call_connect (CallState *cs)
|
||||
|
||||
if (connect (sock, (struct sockaddr*) &addr, sizeof (addr)) < 0) {
|
||||
close (sock);
|
||||
- warning (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
|
||||
- return CKR_DEVICE_ERROR;
|
||||
+ if (errno == ENOENT) {
|
||||
+ debug (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
|
||||
+ return CKR_DEVICE_REMOVED;
|
||||
+ } else {
|
||||
+ warning (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
|
||||
+ return CKR_DEVICE_ERROR;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (egg_unix_credentials_write (sock) < 0) {
|
||||
@@ -1208,6 +1213,10 @@ rpc_C_Initialize (CK_VOID_PTR init_args)
|
||||
if (ret == CKR_OK)
|
||||
ret = call_run (cs);
|
||||
call_done (cs, ret);
|
||||
+
|
||||
+ /* No daemon available */
|
||||
+ } else if (ret == CKR_DEVICE_REMOVED) {
|
||||
+ ret = CKR_OK;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1248,8 +1257,13 @@ rpc_C_Finalize (CK_VOID_PTR reserved)
|
||||
if (ret == CKR_OK)
|
||||
ret = call_run (cs);
|
||||
call_done (cs, ret);
|
||||
+
|
||||
+ /* No daemon available */
|
||||
+ } else if (ret == CKR_DEVICE_REMOVED) {
|
||||
+ ret = CKR_OK;
|
||||
}
|
||||
|
||||
+
|
||||
if (ret != CKR_OK)
|
||||
warning (("finalizing the daemon returned an error: %d", ret));
|
||||
}
|
||||
--
|
||||
1.7.12.1
|
|
@ -1,13 +0,0 @@
|
|||
--- gnome-keyring-3.3.4/daemon/dbus/gkd-secret-error.c 2011-12-19 02:51:11.000000000 -0500
|
||||
+++ foo/daemon/dbus/gkd-secret-error.c 2012-01-18 09:12:28.976906276 -0500
|
||||
@@ -60,7 +60,9 @@
|
||||
|
||||
g_return_val_if_fail (error != NULL, NULL);
|
||||
|
||||
- if (g_error_matches (error, GCK_ERROR, CKR_USER_NOT_LOGGED_IN)) {
|
||||
+ if (g_error_matches (error, GCK_ERROR, CKR_USER_NOT_LOGGED_IN) ||
|
||||
+ g_error_matches (error, GCK_ERROR, CKR_PIN_INCORRECT)) {
|
||||
+
|
||||
dbus_set_error (&derr, INTERNAL_ERROR_DENIED, "The password was invalid");
|
||||
|
||||
} else if (g_error_matches (error, GCK_ERROR, CKR_WRAPPED_KEY_INVALID) ||
|
|
@ -8,14 +8,22 @@
|
|||
|
||||
Summary: Framework for managing passwords and other secrets
|
||||
Name: gnome-keyring
|
||||
Version: 3.3.92
|
||||
Release: 1%{?dist}
|
||||
Version: 3.4.1
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
#VCS: git:git://git.gnome.org/gnome-keyring
|
||||
Source: http://download.gnome.org/sources/gnome-keyring/3.3/gnome-keyring-%{version}.tar.xz
|
||||
Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
|
||||
URL: http://www.gnome.org
|
||||
|
||||
Patch0: gnome-keyring-3.4.1-fix-cache-option.patch
|
||||
Patch1: gnome-keyring-3.4.1-mark-usage-on-item.patch
|
||||
|
||||
## upstream patches
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=783568
|
||||
# https://bugzilla.gnome.org/show_bug.cgi?id=665961
|
||||
Patch100: gnome-keyring-3.6.1-pkcs11_socket_nodebug_spam.patch
|
||||
|
||||
BuildRequires: glib2-devel >= %{glib2_version}
|
||||
BuildRequires: gtk3-devel >= %{gtk3_version}
|
||||
BuildRequires: gcr-devel >= %{gcr_version}
|
||||
|
@ -60,6 +68,9 @@ automatically unlock the "login" keyring when the user logs in.
|
|||
|
||||
%prep
|
||||
%setup -q -n gnome-keyring-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch100 -p1 -b .pkcs11_socket_nodebug_spam
|
||||
|
||||
%build
|
||||
%configure \
|
||||
|
@ -91,12 +102,12 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
|
|||
if [ $1 -eq 0 ]; then
|
||||
touch --no-create %{_datadir}/icons/hicolor >&/dev/null || :
|
||||
gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
|
||||
glib-compile-schemas %{_datadir}/glib-2.0/schemas
|
||||
glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
|
||||
glib-compile-schemas %{_datadir}/glib-2.0/schemas
|
||||
glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
|
||||
|
||||
|
||||
%files -f gnome-keyring.lang
|
||||
|
@ -122,6 +133,22 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Nov 09 2012 Rex Dieter <rdieter@fedoraproject.org> 3.4.1-4
|
||||
- WARNING: couldn't connect to: /tmp/keyring-... (#783568, gnome#665961)
|
||||
|
||||
* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 3.4.1-3
|
||||
- Fix for minor security issue:
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
|
||||
* Tue Apr 24 2012 Kalev Lember <kalevlember@gmail.com> - 3.4.1-2
|
||||
- Silence rpm scriptlet output
|
||||
|
||||
* Mon Apr 16 2012 Richard Hughes <hughsient@gmail.com> - 3.4.1-1
|
||||
- Update to 3.4.1
|
||||
|
||||
* Wed Mar 26 2012 Debarshi Ray <rishi@fedoraproject.org> - 3.4.0-1
|
||||
- Update to 3.4.0
|
||||
|
||||
* Wed Mar 21 2012 Kalev Lember <kalevlember@gmail.com> - 3.3.92-1
|
||||
- Update to 3.3.92
|
||||
|
||||
|
|
Loading…
Reference in New Issue