So how does the gnome keyring work with sudo?


#1

I’m setting up duplicacy on an ubuntu (18.04) server and I can’t seem to get duplicacy to store the passwords in the gnome keyring. I previously used duplicacy on a NAS running on some old version of Debian and (as far as I can remember) I didn’t have problems with it remembering the passwords. Now on this ubuntu machine I don’t know what’s going on. It asks me to enter both the WebDAV password and the storage password everyt single time.

Apart from the different version of Linux, I think the only difference is that on the old NAS I was logged in as root and now I’m logged in with my user name and do sudo duplicacy backup. I don’t know how exactly gnome keyring works, but I suspect that when I use sudo, duplicacy doesn’t have access to my keyring? But wait, I also did the init with sudo and I ran backup with sudo multiple times. So shouldn’t the passwords be saved in the root user’s keyring?

I’m stuck.


Edit: Just to make keep this topic focussed on the main question, I’ll mention that the following workaround seems to work for me:

Save the webdav password in the preferences file:

sudo duplicacy set -key webdav_password -value ***********

and save the storage password there too:

sudo duplicacy set -key password -value ***********

Now sudo duplicacy -background -log backup -stats &> /srv/NAS/duplicacy/logs/backup.log & works fine.

I’m also mentioning in case someone is having the same problem and is happy with this fix. But I would still like to know how to get this to work with the gnome keyring.


How to run duplicacy as a cron job on linux?
#2

The relevant code is in keyring/keyring_linux.go at master · gilbertchen/keyring · GitHub (which was forked from GitHub - tmc/keyring: keyring provides a cross-platform keychain/keyring interface).

I believe the environment variable DBUS_SESSION_BUS_ADDRESS isn’t setup properly under sudo. This is the address used to connect to the gnome keying.


#3

So what does this mean?

To start with, could you clarify whether this is a problem with duplicacy or or with that keyring package that you forked into duplicacy or with ubuntu or with how my system is configured or with how I’m using duplicacy?

Maybe @skidvd, who had a possibly related issue and solved (?) it, can chime in?


#4

This is a problem with your root shell. It doesn’t have DBUS_SESSION_BUS_ADDRESS set so Duplicacy can’t talk to the gnome keyring. I guess in the cron script you need to set DBUS_SESSION_BUS_ADDRESS to whichever value that it has under your user account.

You can run this command to monitor the dbus calls:

dbus-monitor interface=org.freedesktop.Secret.Service interface=org.freedesktop.Secret.Session interface=org.freedesktop.Secret.Collection interface=org.freedesktop.Secret.Item interface=org.freedesktop.Secret.Prompt

#5

Okay. But since I’m using a default Ubuntu installation, I guess this applies to everyone running duplicacy as sudo on Ubuntu. I’m surprised that I’m the first one to bring this up.

From what I understand (which is not a lot), this basically means that duplicacy doesn’t fully support being run via sudo on Ubuntu, right?

Might that be worth mentioning somewhere in the documentation?

I’m not even at the stage of setting up a cron job yet, and I was hoping to avoid any scripts as I’ve never done bash scripting.

What do I do that for? / What do you mean by that?


#6

The dbus-monitor command watches the dbus messages relevant to the gnome keyring so it may be able to tell you what is wrong.

It looks like sudo doesn’t pass environment variables according to this: linux - How to keep environment variables when using sudo - Stack Overflow

So you may need to run sudo -E.


#7

Okay, thanks. This is getting way too nitty gritty for me, so I’ll leave the environment variables alone (on Linux) until someone has worked this out and posts the instructions.

But what about this:


#8

Thanks for writing the how-to. I can confirm that the gnome keyring doesn’t work with sudo. This is not Duplicacy’s fault – the dbus daemon doesn’t allow sudo to connect because it thinks it is from a different user id.