gkeyring

Problem accessing another users gnome-keyring with su

Asked by greywood

This question was first posted at: http://ubuntuforums.org/showthread.php?t=1086490&page=2

Hello!

Regarding the gkeyring.py script... is there a way to run this w/ sudo or su -c? I tried the following but received an error

root@blake:~# su -c "/prime/scripts/gkeyring.py -k login -p user=root,type=password --output secret" greywood
GNOME keyring is not available!

'greywood' is the user that is currently running an authenticated and open gnome-keyring... if the folowing is run directly by greywood the password is returned successfully:

/prime/scripts/gkeyring.py -k login -p user=root,type=password --output secret

Any suggestions? thanks!

Question information

Language:
English Edit question
Status:
Solved
For:
gkeyring Edit question
Assignee:
No assignee Edit question
Solved by:
Kamil Páral
Solved:
Last query:
Last reply:
Revision history for this message
Kamil Páral (kamil.paral) said : 		#1

1. You are already logged in as root, why do you use su?
2. In which keyring is the password stored, in greywood's keyring or in root's keyring? Of course you can access only your keyring (root can't access greywood's keyring). And the GNOME keyring daemon must be running, that means that user must probably be logged in in a graphical session.
3. By default Ubuntu does not have root user and even if you create him, he is forbidden to log in to a GNOME session. That means you are very unlikely to have any password stored in the root's keyring, because the keyring probably even doesn't exist.

If you need to use the password in a root command, first run as normal user, save the password to variable and then use it in the root command:
$ PASS=`./gkeyring.py -p ... -1`
$ sudo do_something $PASS

Revision history for this message
greywood (greywood) said : 		#2

> 1. You are already logged in as root, why do you use su?

In order to access greywood's gnome-keyring from root. Doesn't seem possible...

> 2. In which keyring is the password stored, in greywood's keyring or in root's keyring? Of course you can access only your keyring (root can't access greywood's keyring). And the GNOME keyring daemon must be running, that means that user must probably be logged in in a graphical session.

It's stored in greywood's keyring. Greywood is logged into GNOME and the gnome-keyring daemon is running. Greywood has authenticated and unlocked the keyring for the session.

> 3. By default Ubuntu does not have root user and even if you create him, he is forbidden to log in to a GNOME session. That means you are very unlikely to have any password stored in the root's keyring, because the keyring probably even doesn't exist.

Correct. root does have DISPLAY set and access to greywood's xsession via .Xuathority.

... The idea was to have root access a password from greywood's keyring in order to perform an operation under the belief that it would be a compromise between security and usability - other options being: stored temporarily in a txt file, passed by some env variable or having an unsecured (i.e.: no password) id_rsa file for passwordless SSH key authentication...

Revision history for this message
Best Kamil Páral (kamil.paral) said : 		#3

Oh, I have overlooked the "greywood" username at the end of the "su" command. Now I get it.

Still, GNOME keyring is not available if you use that command. My program requires (obviously) to have GNOME keyring available. So I can't help you with that, you can ask on GNOME keyring's mailing list why it is not available after "su" command.

Revision history for this message
greywood (greywood) said : 		#4

I did some reading here http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html, which outlines fairly well the security paradigm which gnome-keyring operates under. It seems it is bound to a user's session. I will post your question to the gnome-keyring people and report back if I find anything new.

Thanks!