Bug#775189: mate-session spawns gnome-keyring unconditionally

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Mon Jan 12 13:37:29 UTC 2015


Hi Faidon,

On  Mo 12 Jan 2015 13:38:40 CET, Faidon Liambotis wrote:

> Since upstream commit[1] 8a20baf39f781184d6126e0947e9fd4d9a115fab,
> mate-session-manager spawns gnome-keyring-daemon, with no option to turn
> it off, or pass arguments to it (such as --components).
>
> While this is bad in itself, it gets worse: keyring is spawned *after*
> the regular user-configured autostart programs are run. gnome-keyring's
> default set of components includes a GPG & a SSH agent and rightfully
> exports SSH_AUTH_SOCK and GPG_AGENT_INFO.

This already was an issue with gnome-keyring in GNOMEv2.

> Therefore, even if the user has configured their desktop to spawn the
> (more featureful and arguably more secure OpenSSH) ssh-agent or
> gpg-agent, it is impossible to use it, as gnome-keyring-daemon clobbers
> the these two environmental variables.

The "clobbering" could be disabled via gconf in GNOMEv2 and I am  
pretty sure there is something similar possible by manipulating with  
dconf-editor.

> Note that e.g. gdm3's default PAM configuration uses pam_gnome_keyring
> which calls gnome-keyring-daemon with the --daemonize --login options.
> This starts the daemon but does not initialize it; mate-sessions's
> execution with --start is what initializes it and exports these
> variables into the session's environment.
>
> Finally, note that MATE's default session autostart includes multiple
> GNOME Keyring entries, a different one for each keyring component, that
> can be individually be turned off and on. This is what GNOME used to do
> (maybe still does?) as well. I've yet to understand why mate-session
> also spawns it from its code as well.

In mate-session there is some extra code that makes sure gnome-keyring  
has been launched because there were times when gnome-keyring would  
not launch for MATE, but only for GNOMEv3 (OnlyShowin=GNOME;Unity;).

It may be an option for Debian jessie to remove that bit of extra code  
from mate-session, but I would like to get some feedback from Stefano  
or Sandwer (upstream devs of MATE).

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/pkg-mate-team/attachments/20150112/ef8715ae/attachment.sig>


More information about the pkg-mate-team mailing list