Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1888978 - Update how capabilities are used
Summary: Update how capabilities are used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-keyring
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: David King
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1899540 1935431 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-16 16:34 UTC by Steve Grubb
Modified: 2021-03-19 20:06 UTC (History)
13 users (show)

Fixed In Version: gnome-keyring-3.36.0-6.fc35 gnome-keyring-3.36.0-6.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-19 20:06:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch addressing issue (3.13 KB, patch)
2020-10-16 16:34 UTC, Steve Grubb 		no flags Details | Diff
View All

Description Steve Grubb 2020-10-16 16:34:54 UTC 
Created attachment 1722118 [details]
Patch addressing issue

Description of problem:
There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to not work correctly. The capng_apply function now returns an error if it cannot change the bounding set. Previously this was ignored. Which means now gnome-keyring exits when it shouldn't.

The new patch adds troubleshooting info to the error message. And it checks to see if we have CAP_SETPCAP. If we do not, then we cannot change the capabilities so we just bypass the whole thing that was causing an error. On the setuid side, it now drops the bounding set and clears any supplemental groups that may be left over as an accident.

Version-Release number of selected component (if applicable):
gnome-keyring-pam-3.36.0-1.fc32
Comment 1 Debarshi Ray 2020-10-19 13:18:52 UTC 
CCing Daiki because he is the one who knows gnome-keyring the most these days.
Comment 2 Daiki Ueno 2020-10-29 14:38:31 UTC 
Comment on attachment 1722118 [details]
Patch addressing issue

Looks good to me. If you could open a merge request on upstream, I can review and merge:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests
Comment 3 Steve Grubb 2020-10-29 20:40:18 UTC 
OK, I submitted a merge request. Libcap-ng-0.8.1 will be released soon. Maybe next week. I plan to push it to rawhide and then eventually F33. It will not go into F32.
Comment 4 Steve Grubb 2020-11-12 20:35:33 UTC 
A new version of libcap-ng is being released next week. This same change needs to get pushed over to F33, too. Thanks!
Comment 5 Steve Grubb 2020-12-09 20:19:04 UTC 
*** Bug 1899540 has been marked as a duplicate of this bug. ***
Comment 6 Steve Grubb 2020-12-09 20:22:14 UTC 
I was wondering if upstream commit ebc7bc9efacc17049e54da8d96a4a29943621113 can be put into rawhide?
Comment 7 Ben Cotton 2021-02-09 16:16:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.
Comment 8 David King 2021-03-05 17:04:40 UTC 
*** Bug 1935431 has been marked as a duplicate of this bug. ***
Comment 9 Steve Grubb 2021-03-05 17:17:48 UTC 
Any chance we can get an updated package?
Comment 10 David King 2021-03-05 17:21:03 UTC 
(In reply to Steve Grubb from comment #9)
> Any chance we can get an updated package?

I don't (as a member of the gnome-sig group) have a problem merging this, especially as it's merged upstream. Would it also make sense to add CAP_SETPCAP to gnome-keyring-daemon?
Comment 11 Steve Grubb 2021-03-05 17:36:48 UTC 
CAP_SETPCAP is needed if you change the bounding set and that is not needed when using filesystem based capabilities. The upstream patch doesn't touch the bounding set unless we have CAP_SETPCAP which we get when setuid root. Upstream patch fixes everything. Thanks!
Comment 12 Fedora Update System 2021-03-05 18:13:04 UTC 
FEDORA-2021-d234912a57 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d234912a57
Comment 13 Fedora Update System 2021-03-06 19:46:22 UTC 
FEDORA-2021-d234912a57 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d234912a57`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d234912a57

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Fedora Update System 2021-03-19 20:06:31 UTC 
FEDORA-2021-d234912a57 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.