Skip to content

Drop CAP_IPC_LOCK capability

In GLib 2.66.4, we introduced a change to GLib which prevented setuid/setgid/setcap/AT_SECURE processes from reading DBUS_SESSION_BUS_ADDRESS, as that could potentially allow for a privilege escalation from an unprivileged calling environment to the capability-enhanced subprocess.

That caused gnome-keyring to stop working when run under dbus-x11, as that requires the DBUS_SESSION_BUS_ADDRESS environment variable to find the session bus, and gnome-keyring has CAP_IPC_LOCK so that it can set its locked memory limits. See this Debian bug for details.

For GLib 2.66.5 we’ve partially reverted the security hardening, so that setcap or setgid processes can once more access DBUS_SESSION_BUS_ADDRESS. See glib!1920 (merged).

This will be dropped for GLib 2.70, i.e. GLib will be hardened again, at which point gnome-keyring will be broken again. Please make sure that by that time, gnome-keyring is either:

  • no longer setcap; or
  • can happily operate with the default amount of locked memory provided by modern Linux kernels to all unprivileged processes.

See glib#2305 (closed) for full details.

I am reporting this publicly rather than confidentially as the details are all public already. It may be possible for an unprivileged caller to use this privilege escalation to perform a denial of service, but with no more effect than other ways unprivileged users can already cause denials of service on a typical desktop.