Hi Faidon, On Mo 12 Jan 2015 13:38:40 CET, Faidon Liambotis wrote:
Since upstream commit[1] 8a20baf39f781184d6126e0947e9fd4d9a115fab, mate-session-manager spawns gnome-keyring-daemon, with no option to turn it off, or pass arguments to it (such as --components). While this is bad in itself, it gets worse: keyring is spawned *after* the regular user-configured autostart programs are run. gnome-keyring's default set of components includes a GPG & a SSH agent and rightfully exports SSH_AUTH_SOCK and GPG_AGENT_INFO.
This already was an issue with gnome-keyring in GNOMEv2.
Therefore, even if the user has configured their desktop to spawn the (more featureful and arguably more secure OpenSSH) ssh-agent or gpg-agent, it is impossible to use it, as gnome-keyring-daemon clobbers the these two environmental variables.
The "clobbering" could be disabled via gconf in GNOMEv2 and I am pretty sure there is something similar possible by manipulating with dconf-editor.
Note that e.g. gdm3's default PAM configuration uses pam_gnome_keyring which calls gnome-keyring-daemon with the --daemonize --login options. This starts the daemon but does not initialize it; mate-sessions's execution with --start is what initializes it and exports these variables into the session's environment. Finally, note that MATE's default session autostart includes multiple GNOME Keyring entries, a different one for each keyring component, that can be individually be turned off and on. This is what GNOME used to do (maybe still does?) as well. I've yet to understand why mate-session also spawns it from its code as well.
In mate-session there is some extra code that makes sure gnome-keyring has been launched because there were times when gnome-keyring would not launch for MATE, but only for GNOMEv3 (OnlyShowin=GNOME;Unity;).
It may be an option for Debian jessie to remove that bit of extra code from mate-session, but I would like to get some feedback from Stefano or Sandwer (upstream devs of MATE).
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgpfGx0uBV8jv.pgp
Description: Digitale PGP-Signatur
