| 3 Oct 2024 |
 ElvishJerricco | though I think lanzaboote fills that condition | 22:35:26 |
 raitobezarius | There's a PR that fixes the measurements which just need a rebase, yes | 22:36:26 |
| raitobezarius | I may have spoons at some point | 22:36:37 |
| 4 Oct 2024 |
|  @ajcxz0:matrix.org left the room. | 01:00:46 |
| 5 Oct 2024 |
| ElvishJerricco | Jan Tojnar: Hey, did you have anything worth sharing on the luks gnome keyring thing? I know you didn't get very far but I'm bored and want to take a look into it tonight :P | 01:16:22 |
 emily | oh, I never reached out to Arch about that… :( | 01:16:43 |
| ElvishJerricco | ok, so the pam_gdm auth module gets the key out of the keyring and sets the authtok. Then pam_gnome_keyring reads that, forks off the daemon, which switches to your user, and the authtok is piped in to child from parent. Or if the daemon was already running, it just sends the authtok over the control socket. | 03:16:40 |
| ElvishJerricco | so there is definitely at least a moment where the password is being piped to a process owned by your user | 03:16:56 |
| emily | did you find jtojnar's WIP NixOS test thing? | 03:17:00 |
| emily | https://gist.github.com/jtojnar/d1c98d5d803cee3998f68e2e1761c8f8 | 03:17:25 |
| ElvishJerricco | I didn't. Figured I'd rather get familiar with how it works before testing anything out | 03:17:28 |
| emily | (doesn't work, but maybe it's useful to you) | 03:17:31 |
| ElvishJerricco | thanks | 03:17:53 |
| emily | relevant comment about timing / multiple sessions https://matrix.to/#/!NBBFPbiuttRgTqbrcY:nixos.org/$-nf3vPAiCozFLiNCXkzyvCjEZ9W57MT7dOBOLu9ee_U?via=nixos.org&via=matrix.org&via=nixos.dev | 03:18:05 |
| emily | and pointer to earlier discussion from there | 03:18:10 |
| ElvishJerricco | yea, so my guess is that there is some vulnerability here, that's probably quite difficult to take advantage of | 03:18:26 |
| ElvishJerricco | part of it depends on when exactly pam_sm_open_session happens. | 03:21:29 |
| ElvishJerricco | But I think you can make that not matter by having a non-gdm session open before gdm-autologin happens | 03:27:53 |
| ElvishJerricco | which is probably plausible with systemd user lingering | 03:28:04 |
| ElvishJerricco | oh that was easier than I thought | 03:55:46 |
| ElvishJerricco | emily: you around? | 03:55:49 |
|  magic_rb changed their profile picture. | 22:18:06 |
| 6 Oct 2024 |
| emily | https://github.com/NixOS/nixpkgs/pull/346797 could probably use more opinions/discussion (for once I lean slightly against) | 12:47:22 |
|  @sofo:matrix.org left the room. | 15:28:06 |
 Winter | yeah i don't like this... i'll write up something | 17:53:22 |
| emily | i think we have decent consensus to not mark it right now at this point | 17:57:03 |
| 7 Oct 2024 |
|  Sam Lehman changed their profile picture. | 14:24:09 |
| 9 Oct 2024 |
 Nick Cao | firefox RCE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ | 14:12:28 |
 Valodim | whew | 14:20:57 |
