[systemd-devel] Systemd and kernel keyring

Sietse van Zanen sietse at wizdom.nu
Mon Dec 10 10:21:53 UTC 2018 

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

In that case you cannot use the user keyring, as any key there will always be available to the user. You will either need to use the process keyring, or the session keyring for your service.

-Sietse

________________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
Sent: Friday, December 7, 2018 20:47
To: Sietse van Zanen; systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
>
> First create a key for the user in a separate login session:
> [uglymotha at rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
>
> We have no access to the key
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [uglymotha at rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv  11109 65534  keyring: _uid.11109
>  268450157 --alswrv  11109 10513   \_ user: bla
>
> The current session keyring is still empty
> [uglymotha at rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
>
> So link the user keyring to our current session keyring
> [uglymotha at rdsan01 ~]$ keyctl link @u @s
>
> And we have access to the key.
> [uglymotha at rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
> 1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
>  268450157 --alswrv  11109 10513       \_ user: bla
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> bla
> [uglymotha at rdsan01 ~]$ keyctl unlink @u @s
> [uglymotha at rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> -Sietse
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <sietse at wizdom.nu>;
> systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [pkiuser at localhost]  $ keyctl show @u
> Keyring
>  461086211 --alswrv     17 65534  keyring: _uid.3
>  189019025 --alswrv     17    17   \_ user: nuxwdog:user
> [pkiuser at localhost]  $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> >   --keyname=
> >             Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> >             kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > dmoluguw at redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-devel at lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list