[systemd-devel] Systemd and kernel keyring

Sietse van Zanen sietse at wizdom.nu
Fri Dec 7 11:36:25 UTC 2018 

It's probably exactly that, you are running the keyctl in a subprocess and that's why the key is not available in your logon session. Let's reproduce the issue shall we.

First create a key for the user in a separate login session:
[uglymotha at rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla @u
268450157

We have no access to the key
[uglymotha at rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

Because it was added in another session and our current session is not linked to my user keyring, this does not (always) happen automatically on login.
[uglymotha at rdsan01 ~]$ keyctl show @u
Keyring
1004152344 --alswrv  11109 65534  keyring: _uid.11109
 268450157 --alswrv  11109 10513   \_ user: bla

The current session keyring is still empty
[uglymotha at rdsan01 ~]$ keyctl show @s
Keyring
 611271066 --alswrv      0     0  keyring: _ses

So link the user keyring to our current session keyring
[uglymotha at rdsan01 ~]$ keyctl link @u @s

And we have access to the key.
[uglymotha at rdsan01 ~]$ keyctl show @s 
Keyring
 611271066 --alswrv      0     0  keyring: _ses
1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
 268450157 --alswrv  11109 10513       \_ user: bla
[uglymotha at rdsan01 ~]$ keyctl print 268450157
bla
[uglymotha at rdsan01 ~]$ keyctl unlink @u @s
[uglymotha at rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

-Sietse

-----Original Message-----
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com> 
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen <sietse at wizdom.nu>; systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[pkiuser at localhost]  $ keyctl show @u
Keyring
 461086211 --alswrv     17 65534  keyring: _uid.3
 189019025 --alswrv     17    17   \_ user: nuxwdog:user
[pkiuser at localhost]  $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user <key
Desc> <password> @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
> 
> Did you do a 'keyctl link @us @s' after logging in?
> 
> And could you tell me how you aceive 2. Because according to 
> documentation it is not possible to have systemd-ask-password insert a 
> key into a users keylist:
>  --keyname=
>            Configure a kernel keyring key name to use as cache for the 
> password. If set, then the tool will try to push any collected 
> passwords into the
>            kernel keyring of the root user
> 
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> on 
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> dmoluguw at redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-devel at lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
> 
> Hi team,
> 
> I'm working on accessing kernel keyring in my application started 
> using systemd.
> 
> The list of steps I'm doing:
> 
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC 
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes 
> `systemd-ask-password` to accept the input and store it in the USER's 
> kernel keyring 3. In the main program started using `ExecStart`, I'm 
> accessing the value stored in the keyring
> 
> I'm able to access the values from my main program -- everything works 
> as expected! When I try to login as that specific user and do a 
> `keyctl show @u`, I find the entry.
> 
> However, when I try to do `keyctl print <keyID>`, it throws 
> "Permission Denied" error. IIUC, this protects the keys in the keyring 
> from accessing outside the systemd service. Is it the desired 
> behaviour?
> 
> I have the sample systemd unit file available in [1].
> 
> [1]
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> 
> Thanks,
> Dinesh
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list