Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1888978
Summary: | Update how capabilities are used | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> | ||||
Component: | gnome-keyring | Assignee: | David King <amigadave> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 34 | CC: | amigadave, caillon+fedoraproject, customercare, debarshir, dueno, gnome-sig, john.j5live, mclasen, rstrode, sandmann, stefw, walters, yaneti | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | gnome-keyring-3.36.0-6.fc35 gnome-keyring-3.36.0-6.fc34 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-03-19 20:06:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
CCing Daiki because he is the one who knows gnome-keyring the most these days. Comment on attachment 1722118 [details] Patch addressing issue Looks good to me. If you could open a merge request on upstream, I can review and merge: https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests OK, I submitted a merge request. Libcap-ng-0.8.1 will be released soon. Maybe next week. I plan to push it to rawhide and then eventually F33. It will not go into F32. A new version of libcap-ng is being released next week. This same change needs to get pushed over to F33, too. Thanks! *** Bug 1899540 has been marked as a duplicate of this bug. *** I was wondering if upstream commit ebc7bc9efacc17049e54da8d96a4a29943621113 can be put into rawhide? This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34. *** Bug 1935431 has been marked as a duplicate of this bug. *** Any chance we can get an updated package? (In reply to Steve Grubb from comment #9) > Any chance we can get an updated package? I don't (as a member of the gnome-sig group) have a problem merging this, especially as it's merged upstream. Would it also make sense to add CAP_SETPCAP to gnome-keyring-daemon? CAP_SETPCAP is needed if you change the bounding set and that is not needed when using filesystem based capabilities. The upstream patch doesn't touch the bounding set unless we have CAP_SETPCAP which we get when setuid root. Upstream patch fixes everything. Thanks! FEDORA-2021-d234912a57 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d234912a57 FEDORA-2021-d234912a57 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d234912a57` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d234912a57 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-d234912a57 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Created attachment 1722118 [details] Patch addressing issue Description of problem: There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to not work correctly. The capng_apply function now returns an error if it cannot change the bounding set. Previously this was ignored. Which means now gnome-keyring exits when it shouldn't. The new patch adds troubleshooting info to the error message. And it checks to see if we have CAP_SETPCAP. If we do not, then we cannot change the capabilities so we just bypass the whole thing that was causing an error. On the setuid side, it now drops the bounding set and clears any supplemental groups that may be left over as an accident. Version-Release number of selected component (if applicable): gnome-keyring-pam-3.36.0-1.fc32