[systemd-devel] Systemd and kernel keyring

Sietse van Zanen sietse at wizdom.nu
Fri Dec 7 10:09:54 UTC 2018 

Dinesh,

That's linking the key to the session keyring. Also because you're adding keys in a subprocess you do  need to take care with setting correct permissions on the key. 

What does keyctl show @us say?

-Sietse


-----Original Message-----
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com> 
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen <sietse at wizdom.nu>; systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[pkiuser at localhost]  $ keyctl show @u
Keyring
 461086211 --alswrv     17 65534  keyring: _uid.3
 189019025 --alswrv     17    17   \_ user: nuxwdog:user
[pkiuser at localhost]  $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user <key
Desc> <password> @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
> 
> Did you do a 'keyctl link @us @s' after logging in?
> 
> And could you tell me how you aceive 2. Because according to 
> documentation it is not possible to have systemd-ask-password insert a 
> key into a users keylist:
>  --keyname=
>            Configure a kernel keyring key name to use as cache for the 
> password. If set, then the tool will try to push any collected 
> passwords into the
>            kernel keyring of the root user
> 
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> on 
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> dmoluguw at redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-devel at lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
> 
> Hi team,
> 
> I'm working on accessing kernel keyring in my application started 
> using systemd.
> 
> The list of steps I'm doing:
> 
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC 
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes 
> `systemd-ask-password` to accept the input and store it in the USER's 
> kernel keyring 3. In the main program started using `ExecStart`, I'm 
> accessing the value stored in the keyring
> 
> I'm able to access the values from my main program -- everything works 
> as expected! When I try to login as that specific user and do a 
> `keyctl show @u`, I find the entry.
> 
> However, when I try to do `keyctl print <keyID>`, it throws 
> "Permission Denied" error. IIUC, this protects the keys in the keyring 
> from accessing outside the systemd service. Is it the desired 
> behaviour?
> 
> I have the sample systemd unit file available in [1].
> 
> [1]
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> 
> Thanks,
> Dinesh
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list