Stefan noticed that gdm is pulling up the UI and prompting for gnome
keyring unlock.
Part of this is that the UI still appears whenever a NAI is used that
does not exist in its selection of cards even if it was given a password
for that identity.
That's a bug that Kevin's looking into.
However, the gnome keyring unlock is much more problematic and we're
trying to figure out how to approach it.
Apparently the PAM part of gdm3 is run with DISPLAY set and a valid
session dbus.
So, we're detecting a UI and thus trying to use it.
We're detecting Gnome keyring which causes the keyring to try and
unlock.
First, I'm not sure about the security of this if the UI is set-uid
root.
It seems like you could run into significant problems if you can get an
application that is set-uid root to call gss functions.
The second issue is that I don't know how to use the gnome keyring in
the general case but not cause it to get involved in the gdm3 case.
I'd appreciate any suggestions people have.
--Sam
|