Mind Bending

Gnome Keyring

Following the last line from my preview post, there is a secure flaw in the Gnome Keyring. Hopefully there is a security mechanism that brings us some peace. The Gnome Keyring API (ligbnome-keyring) give us a way to lock an specific keyring using the following methods: set_lock_on_idle and set_lock_timeout.

According to the libgnome-keyring API documentation (only available in C) the set_lock_on_idle method receives a boolean value (True of False), which define if the defined keyring should or shouldn’t be locked when idle. The set_lock_timeout method defines after how many seconds the keyring should be considered idle. Since I couldn’t find any usage example and I couldn’t get any help with the community/developers I assumed that the correct usage for this method should be something like this:

>>> import gnomekeyring as gk
>>> import glib
>>> glib.set_application_name('MyApp')
>>> my_keyring = gk.get_info_sync('MyKeyring')
>>> my_keyring.set_lock_timeout(10) #10 seconds
>>> my_keyring.set_lock_on_idle(True)

But guess what, It didn’t work. I’ve waited 20 seconds and issued the command my_keyring.get_is_locked() but it returned False. I’ve waited for 10 minutes, in case the Python API isn’t in seconds, but also nothing happened. I thought that maybe the running process count as activity, so I’ve setted everything up again, exited the Python Shell and monitored the Keyring with Seahorse. Nothing again. Maybe this is mis-implemented in Python or I’ve misunderstood the usage so I’ve tried again to reach the gnome developers issuing this bug: Bug #614350. It was almost a month and a half ago, I didn’t get any response. last week I made a question at Launchpad to the libgnome-keyring package Ubuntu Team (Question #110067) but again I have no response. If I misunderstood the "lock on idle" concept and someone out there knows the right way, please let me know!

Since I have no correction perspective and I run out of ideas on how could be the "right way" to use this idle timeout, I’ll suggest 2 implementations to keep your keyring secure:

  1. Always lock the keyring after a query. In order to implement this you’ll need to store the keyring password in a certain variable and do the following steps: check lock; get password; unlock; query; lock.
  2. Wrap the whole keyring and use a "count down timer" (ex: gobject.timepout_add) to define when it becomes idle.

The fist suggestion is really simple to implement but the second will demand some extra work. In future posts I’ll show my  implementation example.



Graduated in Telecommunication Engineering, but currently working with GNU/Linux infrastructure and in the spare time I'm an Open Source programmer (Python and C), a drawer and author in the Mind Bending Blog.


comments powered by Disqus