1 |
Mark Knecht <markknecht@×××××.com> posted |
2 |
5bdc1c8b0901301919q6936d05dj47d5a8a6808fa6bf@××××××××××.com, excerpted |
3 |
below, on Fri, 30 Jan 2009 19:19:47 -0800: |
4 |
|
5 |
> OK, with the radeon driver loaded X isn't crashing when mythfrontend |
6 |
> completes so that's good. Now, I see radeon loaded as a module but it |
7 |
> doesn't show up in the lspci command, and I am still seeing a segfault |
8 |
> on gnome-key-ring: |
9 |
|
10 |
The gnome-key-ring issue /may/ be due to kernel security capabilities -- |
11 |
or the lack of them. The background is that you don't want your keys |
12 |
being able to be retrieved from swap, which means gpg and the various |
13 |
keyring apps (like gnome-keyring) need to be able to lock memory in RAM, |
14 |
making it unswappable. Except if every app could do that, it'd mean |
15 |
every user could crash the machine by locking huge amounts of memory, so |
16 |
traditionally locking like that required root privileges. But |
17 |
unnecessarily running programs as root has its own risks, so security |
18 |
capabilities were developed. If these are compiled into the kernel and |
19 |
configured correctly, it allows keyring apps and etc to be allowed only |
20 |
very limited security capacities, in this case, the ability to lock a |
21 |
limited amount of memory so it doesn't swap, or in the case of |
22 |
tcptraceroute and the like, the ability to use "raw" sockets, instead of |
23 |
running as root. |
24 |
|
25 |
So what I'd guess is happening is that you had your kernel configured |
26 |
with capabilities before, and gnome-keyring built to use them (this is |
27 |
often controlled by USE=capabilities I believe, don't know if gnome- |
28 |
keyring does it that way or not) but your current kernel isn't configured |
29 |
for them, so when gnome-keyring tries to use capabilities to lock memory, |
30 |
it fails and segfaults. |
31 |
|
32 |
Unfortunately I don't know how to configure what apps get what |
33 |
capabilities and which don't -- I think it uses extended filesystem |
34 |
attributes which I don't have turned on here. But, in the 2.6.29-rc2+ (I |
35 |
run git and update directly from Linus' git tree), the kernel config |
36 |
option should be (I think): |
37 |
|
38 |
Security Options > File POSIX Capabilities |
39 |
|
40 |
You will likely need either extended attributes or POSIX ACLs turned on |
41 |
for whatever filesystem the executable in question is on, as well. |
42 |
However, that's really reaching beyond the extent of my knowledge on the |
43 |
subject, so that's about all I can venture and that bit is only a guess. |
44 |
|
45 |
-- |
46 |
Duncan - List replies preferred. No HTML msgs. |
47 |
"Every nonfree program has a lord, a master -- |
48 |
and if you use the program, he is your master." Richard Stallman |