Commits on Source (10)
-
Jeremy Bicha authorededa60a2a
-
Jeremy Bicha authored41b29ed5
-
Jeremy Bicha authoredfaf9b939
-
Jeremy Bicha authored
-Wl,--as-needed is default since Bullseye dh_auto_test handles nocheck and some env stuff in dh compat 13
039dbd77 -
Jeremy Bicha authored9817adf7
-
Simon McVittie authored
GNOME Keyring uses "memory locking" to prevent memory buffers from being written out to swap, in an attempt to prevent passwords and other secrets from being written to disk unencrypted. Since Linux 2.6.9 (Debian 4.0, 2007) it has been possible to lock memory up to the limit defined by RLIMIT_MEMLOCK without requiring the CAP_IPC_LOCK capability. Since GLib 2.70, processes with higher privilege than their caller are prevented from accessing most environment variables as part of a security hardening effort intended to prevent processes with elevated privileges from being subverted by their caller. This applies to any process with the AT_SECURE attribute, including executables with setuid, setgid or filesystem capabilities (setcap), as well as executables that undergo AppArmor transitions with mode Cx, Px or Ux, or any other similar privilege-elevation mechanism. Denying access to environment variables in this way interferes with the ability to connect to the D-Bus session bus, which is required functionality for gnome-keyring. RLIMIT_MEMLOCK defaults to 64 KiB, although it is considerably higher on typical Debian systems due to #976373. If memory locking for larger quantities of secret data is required, please configure a higher RLIMIT_MEMLOCK in /etc/security/limits.conf. Memory locking is not effective when using suspend-to-disk (hibernation), which ignores memory locking and writes the contents of memory to disk regardless. It is also only fully effective if the entire path that the password takes through the overall system makes use of memory locking, which in practice does not occur. Using encrypted swap, with an ephemeral key if suspend-to-disk is not required, is recommended as a more robust way to prevent passwords from reaching disk. Full-disk encryption is also recommended for systems where confidentiality is important. Closes: #994961
4cd87240 -
Simon McVittie authored
Now that we are not setting CAP_IPC_LOCK, this is not useful, and disabling it silences some misleading warnings. gnome-keyring will still log a warning if it cannot allocate enough locked memory for its needs.
82a131c7 -
Simon McVittie authored
Older versions of gnome-keyring did not always prevent larger items of secret data from being swapped out, even if they could, due to a logic error when allocating new blocks of locked memory.
4801b8a0 -
Simon McVittie authorede7a3929b
-
Rico Tzschichholz authored77ebd78c
debian/compat
deleted
100644 → 0
debian/gnome-keyring.postinst
deleted
100644 → 0
debian/gnome-keyring.ubiquity
deleted
100644 → 0