[systemd-devel] Systemd and kernel keyring

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Fri Dec 7 19:47:16 UTC 2018 

Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
> 
> First create a key for the user in a separate login session:
> [uglymotha at rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
> 
> We have no access to the key
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
> 
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [uglymotha at rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv  11109 65534  keyring: _uid.11109
>  268450157 --alswrv  11109 10513   \_ user: bla
> 
> The current session keyring is still empty
> [uglymotha at rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
> 
> So link the user keyring to our current session keyring
> [uglymotha at rdsan01 ~]$ keyctl link @u @s
> 
> And we have access to the key.
> [uglymotha at rdsan01 ~]$ keyctl show @s 
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
> 1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
>  268450157 --alswrv  11109 10513       \_ user: bla
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> bla
> [uglymotha at rdsan01 ~]$ keyctl unlink @u @s
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
> 
> -Sietse
> 
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com> 
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <sietse at wizdom.nu>; 
> systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
> 
> Hi Sietse,
> 
> I tried doing that, but I wasn't able to link it:
> 
> [pkiuser at localhost]  $ keyctl show @u
> Keyring
>  461086211 --alswrv     17 65534  keyring: _uid.3
>  189019025 --alswrv     17    17   \_ user: nuxwdog:user
> [pkiuser at localhost]  $ keyctl link 189019025 @s
> keyctl_link: Permission denied
> 
> 
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
> 
> Regards,
> Dinesh
> 
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> > 
> > Did you do a 'keyctl link @us @s' after logging in?
> > 
> > And could you tell me how you aceive 2. Because according to 
> > documentation it is not possible to have systemd-ask-password
> > insert a 
> > key into a users keylist:
> >   --keyname=
> >             Configure a kernel keyring key name to use as cache for
> > the 
> > password. If set, then the tool will try to push any collected 
> > passwords into the
> >             kernel keyring of the root user
> > 
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org>
> > on 
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> > dmoluguw at redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-devel at lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> > 
> > Hi team,
> > 
> > I'm working on accessing kernel keyring in my application started 
> > using systemd.
> > 
> > The list of steps I'm doing:
> > 
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC 
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes 
> > `systemd-ask-password` to accept the input and store it in the
> > USER's 
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm 
> > accessing the value stored in the keyring
> > 
> > I'm able to access the values from my main program -- everything
> > works 
> > as expected! When I try to login as that specific user and do a 
> > `keyctl show @u`, I find the entry.
> > 
> > However, when I try to do `keyctl print <keyID>`, it throws 
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring 
> > from accessing outside the systemd service. Is it the desired 
> > behaviour?
> > 
> > I have the sample systemd unit file available in [1].
> > 
> > [1]
> > 
> 
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> > 
> > Thanks,
> > Dinesh
> > 
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list