[systemd-devel] Systemd and kernel keyring

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Fri Dec 7 19:17:10 UTC 2018 

Sorry, I take my previous message back.

[pkiuser at localhost]  $ keyctl show @us
Keyring
 489278924 --alswrv     17 65534  keyring: _uid_ses.17
 597101514 --alswrv     17 65534   \_ keyring: _uid.17
 832804872 --alswrv     17    17       \_ user: nuxwdog:user

Regards,
Dinesh

On Fri, 2018-12-07 at 11:10 -0800, Dinesh Prasanth Moluguwan
Krishnamoorthy wrote:
> [pkiuser at localhost]  $ keyctl show @us
> Keyring
>  863455739 --alswrv     17 65534  keyring: _uid_ses.17
> 
> [pkiuser at localhost]  $ keyctl show @u
> Keyring
>  461086211 --alswrv     17 65534  keyring: _uid.17
>  722174553 --alswrv     17    17   \_ user: nuxwdog:user
> 
> [pkiuser at localhost]  $ keyctl link @u @s
> 
> [pkiuser at localhost]  $ keyctl show @us
> Keyring
>  863455739 --alswrv     17 65534  keyring: _uid_ses.17
> 
> Regards,
> Dinesh
> 
> On Fri, 2018-12-07 at 10:09 +0000, Sietse van Zanen wrote:
> > Dinesh,
> > 
> > That's linking the key to the session keyring. Also because you're
> > adding keys in a subprocess you do  need to take care with setting
> > correct permissions on the key. 
> > 
> > What does keyctl show @us say?
> > 
> > -Sietse
> > 
> > 
> > -----Original Message-----
> > From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com
> > > 
> > Sent: Thursday, 6 December, 2018 23:21
> > To: Sietse van Zanen <sietse at wizdom.nu>; 
> > systemd-devel at lists.freedesktop.org
> > Subject: Re: [systemd-devel] Systemd and kernel keyring
> > 
> > Hi Sietse,
> > 
> > I tried doing that, but I wasn't able to link it:
> > 
> > [pkiuser at localhost]  $ keyctl show @u
> > Keyring
> >  461086211 --alswrv     17 65534  keyring: _uid.3
> >  189019025 --alswrv     17    17   \_ user: nuxwdog:user
> > [pkiuser at localhost]  $ keyctl link 189019025 @s
> > keyctl_link: Permission denied
> > 
> > 
> > I achieve 2 by doing a subprocess call that runs `keyctl add user
> > <key
> > Desc> <password> @u`
> > 
> > Regards,
> > Dinesh
> > 
> > On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > > Hi Dinesh,
> > > 
> > > Did you do a 'keyctl link @us @s' after logging in?
> > > 
> > > And could you tell me how you aceive 2. Because according to 
> > > documentation it is not possible to have systemd-ask-password
> > > insert a 
> > > key into a users keylist:
> > >  --keyname=
> > >            Configure a kernel keyring key name to use as cache
> > > for
> > > the 
> > > password. If set, then the tool will try to push any collected 
> > > passwords into the
> > >            kernel keyring of the root user
> > > 
> > > -Sietse
> > > ________________________________________
> > > From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org>
> > > on 
> > > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> > > dmoluguw at redhat.com>
> > > Sent: Thursday, December 6, 2018 04:11
> > > To: systemd-devel at lists.freedesktop.org
> > > Subject: [systemd-devel] Systemd and kernel keyring
> > > 
> > > Hi team,
> > > 
> > > I'm working on accessing kernel keyring in my application
> > > started 
> > > using systemd.
> > > 
> > > The list of steps I'm doing:
> > > 
> > > 1. Starting a systemd service with `KeyringMode=shared` as a
> > > SPECIFIC 
> > > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > > invokes 
> > > `systemd-ask-password` to accept the input and store it in the
> > > USER's 
> > > kernel keyring 3. In the main program started using `ExecStart`,
> > > I'm 
> > > accessing the value stored in the keyring
> > > 
> > > I'm able to access the values from my main program -- everything
> > > works 
> > > as expected! When I try to login as that specific user and do a 
> > > `keyctl show @u`, I find the entry.
> > > 
> > > However, when I try to do `keyctl print <keyID>`, it throws 
> > > "Permission Denied" error. IIUC, this protects the keys in the
> > > keyring 
> > > from accessing outside the systemd service. Is it the desired 
> > > behaviour?
> > > 
> > > I have the sample systemd unit file available in [1].
> > > 
> > > [1]
> > > 
> > 
> > 
> 
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> > > 
> > > Thanks,
> > > Dinesh
> > > 
> > > _______________________________________________
> > > systemd-devel mailing list
> > > systemd-devel at lists.freedesktop.org
> > > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> > 
> >

More information about the systemd-devel mailing list