integ/security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch

Index: keyring-5.3/keyring/backends/file.py
===================================================================
--- keyring-5.3.orig/keyring/backends/file.py
+++ keyring-5.3/keyring/backends/file.py
@@ -19,6 +19,8 @@ from ..util.escape import escape as esca
 from oslo_concurrency import lockutils
 
 
+lockfile = "keyringlock"
+
 class FileBacked(object):
     @abc.abstractproperty
     def filename(self):
@@ -104,16 +106,18 @@ class BaseKeyring(FileBacked, KeyringBac
         service = escape_for_ini(service)
         username = escape_for_ini(username)
 
+        # ensure the file exists
+        self._ensure_file_path()
+
         # encrypt the password
         password_encrypted = self.encrypt(password.encode('utf-8'))
         # encode with base64
         password_base64 = base64.encodestring(password_encrypted).decode()
 
+        lockdir = os.path.dirname(self.file_path)
 
-        with lockutils.lock("keyringlock",external=True,lock_path="/tmp"):
+        with lockutils.lock(lockfile,external=True,lock_path=lockdir):
 
-            # ensure the file exists
-            self._ensure_file_path()
 
             config = None
             try:
@@ -159,14 +163,13 @@ class BaseKeyring(FileBacked, KeyringBac
 
 
 
-
-
     def _ensure_file_path(self):
         """
         Ensure the storage path exists.
         If it doesn't, create it with "go-rwx" permissions.
         """
         storage_root = os.path.dirname(self.file_path)
+        lockdir = storage_root
         if storage_root and not os.path.isdir(storage_root):
             os.makedirs(storage_root)
         if not os.path.isfile(self.file_path):
@@ -175,13 +178,22 @@ class BaseKeyring(FileBacked, KeyringBac
                 pass
             user_read_write = 0o644
             os.chmod(self.file_path, user_read_write)
+        if not os.path.isfile(lockdir + "/" + lockfile):
+             import stat
+             with open(lockdir + "/" + lockfile, 'w'):
+                 pass
+             # must have the lock file with the correct group permissisions g+rw
+             os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU)
+
 
     def delete_password(self, service, username):
         """Delete the password for the username of the service.
         """
         service = escape_for_ini(service)
         username = escape_for_ini(username)
-        with lockutils.lock("keyringlock",external=True,lock_path="/tmp"):
+
+        lockdir = os.path.dirname(self.file_path)
+        with lockutils.lock(lockfile,external=True,lock_path=lockdir):
             config = configparser.RawConfigParser()
             if os.path.exists(self.file_path):
                 config.read(self.file_path)
@@ -290,17 +302,6 @@ class EncryptedKeyring(Encrypted, BaseKe
         # set a reference password, used to check that the password provided
         #  matches for subsequent checks.
 
-        # try to pre-create the /tmp/keyringlock if it doesn't exist
-        lockfile = "/tmp/keyringlock"
-        if os.geteuid() == 0 and (not os.path.exists(lockfile)):
-             from pwd import getpwnam
-             import stat
-             nonrootuser = "sysadmin"
-             with open(lockfile, 'w'):
-                 pass
-             # must have the lock file with the correct group permissisions g+rw
-             os.chmod(lockfile, stat.S_IRWXG | stat.S_IRWXU)
-
 
         self.set_password('keyring-setting', 'password reference',
             'password reference value')
@@ -313,9 +314,10 @@ class EncryptedKeyring(Encrypted, BaseKe
             return False
         self._migrate()
 
+        lockdir = os.path.dirname(self.file_path)
         # lock access to the file_path here, make sure it's not being written
         # to while while we're checking for keyring-setting
-        with lockutils.lock("keyringlock",external=True,lock_path="/tmp"):
+        with lockutils.lock(lockfile,external=True,lock_path=lockdir):
             config = configparser.RawConfigParser()
             config.read(self.file_path)
             try:
@@ -325,7 +327,6 @@ class EncryptedKeyring(Encrypted, BaseKe
                 )
             except (configparser.NoSectionError, configparser.NoOptionError):
                 # The current file doesn't have the keyring-setting, check the backup
-                logging.warning("_check_file: The current file doesn't have the keyring-setting, check the backup")
                 if os.path.exists(self.backup_file_path):
                     config = configparser.RawConfigParser()
                     config.read(self.backup_file_path)