FS#68664 : [libcap-ng] [gnome-keyring] gnome-keyring-daemon fails to start after upgrade to libcap-ng 0.8.1

FS#68664 - [libcap-ng] [gnome-keyring] gnome-keyring-daemon fails to start after upgrade to libcap-ng 0.8.1

Attached to Project: Arch Linux
Opened by Jonas Witschel (diabonas) - Wednesday, 18 November 2020, 22:03 GMT
Last edited by David Runge (dvzrv) - Sunday, 28 February 2021, 15:45 GMT

Task Type	Bug Report
Category	Packages: Testing
Status	Closed
Assigned To	Jan Alexander Steffens (heftig) David Runge (dvzrv) Levente Polyak (anthraxx)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	8 Sunny Wong (ArchDoctor_needed) (2021-04-12) Mark Blakeney (bulletmark) (2020-12-12) Netboy3 (Netboy3) (2020-12-12) Laurențiu Nicola (lnicola) (2020-11-19) Zbysek MRAZ (zbyshek) (2020-11-19) Frederic Bezies (fredbezies) (2020-11-19) Anonymous (mycifsbroke) (2020-11-19) Mantas Mikulėnas (grawity) (2020-11-18)
Private	No

Details

After upgrading to libcap-ng 0.8.1-1 in [testing], gnome-keyring fails to start with the error message

gnome-keyring-daemon: error dropping process capabilities, aborting

Downgrading libcap-ng to the previous version 0.8-1 fixes the issue.

Additional info:
* libcap-ng 0.8.1-1
* gnome-keyring 1:3.36.0-1

Steps to reproduce:
1. Install gnome-keyring and libcap-ng from [testing]: pacman -S gnome-keyring libcap-ng=0.8.1-1
2. Try starting the daemon: gnome-keyring-daemon --start
3. Observe the error message given above.

This task depends upon

Closed by David Runge (dvzrv)
Sunday, 28 February 2021, 15:45 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with libcap-ng 0.8.2/ gnome-keyring 1:3.36.0-3

Comment by Jonas Witschel (diabonas) - Wednesday, 18 November 2020, 22:41 GMT

I have bisected this issue to libcap-ng commit 6a24a9c5e2f3af1d56430417ee8c9a04ead38e6c ("capng_apply error update") and created an upstream bug report: https://github.com/stevegrubb/libcap-ng/issues/21

Comment by David Runge (dvzrv) - Thursday, 19 November 2020, 09:29 GMT

It seems libcap-ng upstream has provided changes to gnome-keyring, that can be applied for it to work with libcap-ng 0.8.1:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33

Comment by Jonas Witschel (diabonas) - Thursday, 19 November 2020, 11:00 GMT

Nice find! I am not quite sure whether this fix works as intended, since it does not change the capabilities any more at all unless CAP_SETPCAP is given (which it is not, at least on Arch Linux, otherwise this error wouldn't occur in the first place). I have left a comment asking for clarification: https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33#note_965430

I also opened an upstream pull request https://github.com/stevegrubb/libcap-ng/pull/23 to avoid silent breakage of projects not performing error checking on capng_apply. This won't fix packages like gnome-keyring or cifs-utils (cf. ~~FS#68666~~ ) though, these will have to fixed case by case.

Comment by Jonas Witschel (diabonas) - Saturday, 21 November 2020, 11:17 GMT

The patch for gnome-keyring has been updated and merged upstream: https://gitlab.gnome.org/GNOME/gnome-keyring/-/commit/ebc7bc9efacc17049e54da8d96a4a29943621113

For libcap-ng in general, the silent breakage issue has been addressed by https://github.com/stevegrubb/libcap-ng/commit/fda0224fea4f01b77bd07ac195b3baaaf1a28fca and a new release is imminent: https://github.com/stevegrubb/libcap-ng/issues/21#issuecomment-731355287

Fedora apparently has opted to revert the stricter error checking for now to avoid breaking existing applications: https://github.com/stevegrubb/libcap-ng/issues/21#issuecomment-731491583 I don't think this is the way to go for Arch though, instead we should try to fix the applications that depend on libcap-ng.

Comment by Jonas Witschel (diabonas) - Saturday, 21 November 2020, 11:54 GMT

From my very cursory checks, the only other packages I could find in our repositories apart from gnome-keyring and cifs-utils that are potentially in need of patching for libcap-ng 0.8.1 are:

- ceph: https://github.com/ceph/ceph/blob/d472ab97534090447fd1f4d50bedd323ca80d696/src/mount/mount.ceph.c#L115-L118
- qemu: https://github.com/qemu/qemu/blob/834b9273d5cdab68180dc8c84d641aaa4344b057/fsdev/virtfs-proxy-helper.c#L104-L107

The other packages either don't use capng_apply(CAPNG_SELECT_BOTH), don't do error checking on capng_apply (which will at least apply the normal capabilities with the next libcap-ng release), or seem to be checking for CAP_SETPCAP before using capng_apply(CAPNG_SELECT_BOTH).

Comment by loqs (loqs) - Saturday, 21 November 2020, 12:42 GMT

Updating ceph is blocked by the package currently failing to build ~~FS#68387~~ . That also blocks the python rebuild.

Comment by Netboy3 (Netboy3) - Saturday, 12 December 2020, 21:32 GMT

Opened a new task ~~FS#68961~~ to reflect that the issue still exists with libcap-ng 0.8.2 that was just pushed to core and probably broke gnome-keyring for a lot of Arch users

Comment by Robert (robson) - Monday, 14 December 2020, 11:08 GMT

sudo setcap cap_ipc_lock=+ep `which gnome-keyring-daemon`
This command solves this problem
gnome-keyring-daemon: error dropping process capabilities, aborting

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#68961 - [libcap-ng] [gnome-keyring] gnome-keyring-daemon fails to start~~

Arch Linux

FS#68664 - [libcap-ng] [gnome-keyring] gnome-keyring-daemon fails to start after upgrade to libcap-ng 0.8.1

Details

Loading...