Red Hat Bugzilla – Bug 1025723
gnome-keyring: does not properly kill gnome-keyring-daemon before exit, race condition causes pam umount fail
Last modified: 2015-03-03 13:55:39 EST
Gnome-keyring is found to have a flaw, where an encrypted disk fails to unmount even after logging out using the pam-mount, and as it's in the background, the user won't be aware of this.
The issue is that in pam/gkr-pam-module.c stop_daemon() sends SIGTERM to the gnome-keyring-daemon process instead of SIGKILL i.e. just requesting shutdown and ensuring the process is killed. This means that when pam_gnome_keyring.so returns from pam_close_session() the daemon is sometimes still running (race condition). Since the daemon has an open socket in the users home directory, pam_mount's umount call will fail. It was found that gnome-keyring-daemon has an open socket at in ~/.cache/keyring-xxxxxx/control, which is started at login.
This issue was reported to be successful under lightdm and XFCE, but should also affect other systems that use pam-gnome-keyring and pam-mount together.
A workaround is posted to replace SIGTERM with SIGKILL in the source. You may want to use SIGTERM/sleep/if(alive) SIGKILL to give the daemon a chance to exit properly.
Created gnome-keyring tracking bugs for this issue:
Affects: fedora-all [bug 1025724]
When you see this condition, could you do a backtrace of all threads in the gnome-keyring-daemon? gnome-keyring-daemon should exit on SIGTERM. If it doesn't, then that's the bug.
Is there somebody else who can answer Stef's question ?
I've not reproduced this and the individual who filed the bug is no longer with Red Hat.
Unfortunately, I am unable to test this being relatively unfamiliar with the program. I would have hoped that upstream would have looked into this a bit, but it seems like their bug has not progressed.
Maybe the owner of this package could take some time and look at it? I'm not sure whether this was actually ever tested, or was simply reported this way.
As an aside, nothing has moved on the Debian report so maybe this is a bogus report? I'm not sure if anyone has reproduced it or not.
Related bug: https://bugzilla.gnome.org/show_bug.cgi?id=708765
Not sure it's the same issue. Patched upstream.