[systemd-devel] Systemd and kernel keyring
Dinesh Prasanth Moluguwan Krishnamoorthy
dmoluguw at redhat.com
Fri Dec 7 19:10:54 UTC 2018
[pkiuser at localhost] $ keyctl show @us
Keyring
863455739 --alswrv 17 65534 keyring: _uid_ses.17
[pkiuser at localhost] $ keyctl show @u
Keyring
461086211 --alswrv 17 65534 keyring: _uid.17
722174553 --alswrv 17 17 \_ user: nuxwdog:user
[pkiuser at localhost] $ keyctl link @u @s
[pkiuser at localhost] $ keyctl show @us
Keyring
863455739 --alswrv 17 65534 keyring: _uid_ses.17
Regards,
Dinesh
On Fri, 2018-12-07 at 10:09 +0000, Sietse van Zanen wrote:
> Dinesh,
>
> That's linking the key to the session keyring. Also because you're
> adding keys in a subprocess you do need to take care with setting
> correct permissions on the key.
>
> What does keyctl show @us say?
>
> -Sietse
>
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <sietse at wizdom.nu>;
> systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [pkiuser at localhost] $ keyctl show @u
> Keyring
> 461086211 --alswrv 17 65534 keyring: _uid.3
> 189019025 --alswrv 17 17 \_ user: nuxwdog:user
> [pkiuser at localhost] $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> > --keyname=
> > Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> > kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > dmoluguw at redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-devel at lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
More information about the systemd-devel
mailing list