[systemd-devel] Have 'session' keyrings per service

Lennart Poettering lennart at poettering.net
Fri Aug 9 08:44:02 PDT 2013 

On Thu, 08.08.13 12:15, Stef Walter (stefw at redhat.com) wrote:

> Hey guys. I'm trying to figure out details for:
> 
> http://www.freedesktop.org/wiki/Specifications/login-unlock/
> 
> Lennart we talked about this briefly in Brno ... basically the concept
> is that when systemd does cryptsetup, it'll stash away the password it
> successfully used in the kernel keyring, and then the PAM stack in GDM
> will use it to try and log the user in.
> 
> One thing we should work out is how to avoid having any uid 0 process
> accessing that password at will. By:
> 
>  1. Obviously, a kernel keyring timeout.
>  2. Putting it in a keyring that only certain services have access to.

Hmm, well, what's the point of this part? I mean, on Unix security is
either bound to UIDs/GIDs, or to MAC labels, we shouldn't attempt to
introduce half-assed security checks beyond that... I mean, ptrace()
allows you to impersonate anybody you like if that someone has the same
UID you have, so what's the point of doing per-session or per-service
access control?

I'd just stick this into the keyring of UID 0 with a timeout of 2min or
so, and that'd be it.

> The second is why I'm writing...
> 
> I'm thinking about the idea of defining a named session keyring per
> systemd unit (kernel 'session keyrings' have nothing to do with user
> login sessions, overloaded term, :S ).

What's the point really? what would this provide us with that labeling
keys would not do anyway?

> On its own this makes a lot of sense, since we essentially make a
> per-cgroup keyring for services, which becomes really useful.

It sounds very wrong to me to introduce a new concept of access control
here on the lower level. We try hard to map everything back to
UID/GID+label, for example in the journal, where we break up the journal
into individual files so we can reuse fs access control...

My simplistic approach for all of this would look like this:

a) rip out all plymouth-based password caching logic from systemd

b) instead, cache all keys we read from the kbd in the kernel keyring
for UID 0 with an expiry of 2min or so.

c) Add a tiny PAM module to systemd that can provide the cached keys (or
one of them) as PAM auth tok.

Then, add the latter to the gdm autologin PAM config snippet.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list