| 1 |
Mark Knecht <markknecht@×××××.com> posted |
| 2 |
5bdc1c8b0901301919q6936d05dj47d5a8a6808fa6bf@××××××××××.com, excerpted |
| 3 |
below, on Fri, 30 Jan 2009 19:19:47 -0800: |
| 4 |
|
| 5 |
> OK, with the radeon driver loaded X isn't crashing when mythfrontend |
| 6 |
> completes so that's good. Now, I see radeon loaded as a module but it |
| 7 |
> doesn't show up in the lspci command, and I am still seeing a segfault |
| 8 |
> on gnome-key-ring: |
| 9 |
|
| 10 |
The gnome-key-ring issue /may/ be due to kernel security capabilities -- |
| 11 |
or the lack of them. The background is that you don't want your keys |
| 12 |
being able to be retrieved from swap, which means gpg and the various |
| 13 |
keyring apps (like gnome-keyring) need to be able to lock memory in RAM, |
| 14 |
making it unswappable. Except if every app could do that, it'd mean |
| 15 |
every user could crash the machine by locking huge amounts of memory, so |
| 16 |
traditionally locking like that required root privileges. But |
| 17 |
unnecessarily running programs as root has its own risks, so security |
| 18 |
capabilities were developed. If these are compiled into the kernel and |
| 19 |
configured correctly, it allows keyring apps and etc to be allowed only |
| 20 |
very limited security capacities, in this case, the ability to lock a |
| 21 |
limited amount of memory so it doesn't swap, or in the case of |
| 22 |
tcptraceroute and the like, the ability to use "raw" sockets, instead of |
| 23 |
running as root. |
| 24 |
|
| 25 |
So what I'd guess is happening is that you had your kernel configured |
| 26 |
with capabilities before, and gnome-keyring built to use them (this is |
| 27 |
often controlled by USE=capabilities I believe, don't know if gnome- |
| 28 |
keyring does it that way or not) but your current kernel isn't configured |
| 29 |
for them, so when gnome-keyring tries to use capabilities to lock memory, |
| 30 |
it fails and segfaults. |
| 31 |
|
| 32 |
Unfortunately I don't know how to configure what apps get what |
| 33 |
capabilities and which don't -- I think it uses extended filesystem |
| 34 |
attributes which I don't have turned on here. But, in the 2.6.29-rc2+ (I |
| 35 |
run git and update directly from Linus' git tree), the kernel config |
| 36 |
option should be (I think): |
| 37 |
|
| 38 |
Security Options > File POSIX Capabilities |
| 39 |
|
| 40 |
You will likely need either extended attributes or POSIX ACLs turned on |
| 41 |
for whatever filesystem the executable in question is on, as well. |
| 42 |
However, that's really reaching beyond the extent of my knowledge on the |
| 43 |
subject, so that's about all I can venture and that bit is only a guess. |
| 44 |
|
| 45 |
-- |
| 46 |
Duncan - List replies preferred. No HTML msgs. |
| 47 |
"Every nonfree program has a lord, a master -- |
| 48 |
and if you use the program, he is your master." Richard Stallman |
Archives