[systemd-devel] Systemd and kernel keyring

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Fri Dec 7 19:05:13 UTC 2018 

On Fri, 2018-12-07 at 10:00 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
> 
> In that case I suggest you start by reading: 
> http://man7.org/linux/man-pages/man7/keyrings.7.html

Thanks for this. It does provide quite a few info what I need! :)

> 
> What does cat /proc/keys say?

There is no "nuxwdog:user" entry in it. May be possibly coz I'm using
this workaround? 
https://github.com/systemd/systemd/issues/1232#issuecomment-367209577


Regards,
Dinesh

> -Sietse
> 
> -----Original Message-----
> From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> On
> Behalf Of Dinesh Prasanth Moluguwan Krishnamoorthy
> Sent: Thursday, 6 December, 2018 23:38
> To: Lennart Poettering <mzerqung at 0pointer.de>
> Cc: systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
> 
> Hi Lennart,
> 
> [pkiuser at localhost]  $ keyctl list @u
> 1 key in keyring:
> 114920030: --alswrv    17    17 user: nuxwdog:user
> 
> That's the attrs of the created key.I'm not sure how to read these
> attributes, though.
> 
> Regards,
> Dinesh
> 
> On Thu, 2018-12-06 at 14:38 +0100, Lennart Poettering wrote:
> > On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (
> > dmoluguw at redhat.com) wrote:
> > 
> > > Hi team,
> > > 
> > > I'm working on accessing kernel keyring in my application
> > > started 
> > > using systemd.
> > > 
> > > The list of steps I'm doing:
> > > 
> > > 1. Starting a systemd service with `KeyringMode=shared` as a 
> > > SPECIFIC USER 2. In the `ExecStartPre`, I'm launching a
> > > subprocess 
> > > that invokes `systemd-ask-password` to accept the input and store
> > > it 
> > > in the USER's kernel keyring 3. In the main program started
> > > using 
> > > `ExecStart`, I'm accessing the value stored in the keyring
> > > 
> > > I'm able to access the values from my main program -- everything 
> > > works as expected! When I try to login as that specific user and
> > > do 
> > > a `keyctl show @u`, I find the entry.
> > > 
> > > However, when I try to do `keyctl print <keyID>`, it throws 
> > > "Permission Denied" error. IIUC, this protects the keys in the 
> > > keyring from accessing outside the systemd service. Is it the 
> > > desired behaviour?
> > 
> > Hmm, maybe use "keyctl list @u" to see the key and its access mode?
> > 
> > Lennart
> > 
> > --
> > Lennart Poettering, Red Hat
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list