[systemd-devel] keyrings and dbus

Andrei Borzenkov arvidjaar at gmail.com
Thu Jun 13 10:18:35 UTC 2019


13.06.2019 11:11, Josef Moellers пишет:
> On 12.06.19 17:34, Andrei Borzenkov wrote:
...
>>
>> If I add pam_keyinit to systemd-user, I do get session keyring for gnome
>> terminal, but this is really wrong one:
>>
>> bor at 10:~> cat /proc/keys
>> 2133e406 I--Q---     2 perm 1f3f0000  1000 65534 keyring   _uid.1000: empty
>> 2aeff9b2 I--Q---    67 perm 3f030000  1000   100 keyring   _ses: 1
>> 3c18175c I--Q---    93 perm 3f030000  1000   100 keyring   _ses: 1
>> bor at 10:~> keyctl show -x
>> Session Keyring
>> 0x2aeff9b2 --alswrv   1000   100  keyring: _ses
>> 0x2133e406 --alswrv   1000 65534   \_ keyring: _uid.1000
>> bor at 10:~>
> 
> Not really ... if you look at the keyring IDs (in the first column) eg
> in a gnome-terminal and in an xterm, you will see that both session
> keyrings (the "session keyring" in the xterm and the "user session
> keyring" in the gnome-terminal) link to the very same "user keyring":
> 

I did not say "user keyring", I said "session keyring". Session keyring
is different.

bor at 10:~> keyctl show -x
Session Keyring
0x21a25f31 --alswrv   1000 65534  keyring: _uid_ses.1000
0x25f5781a --alswrv   1000 65534   \_ keyring: _uid.1000
bor at 10:~>

bor at 10:~> keyctl show -x
Session Keyring
0x279c03fc --alswrv   1000   100  keyring: _ses
0x25f5781a --alswrv   1000 65534   \_ keyring: _uid.1000
bor at 10:~>

> Leap-15.1:
> ssh:
> Keyring
>   69871887 --alswrv   1000   100  keyring: _ses
>  105956722 --alswrv   1000 65534   \_ keyring: _uid.1000
> -> Session Keyring (_ses) linked to User Keyring (_uid.<UID>)
> 
> gnome-terminal(-server):
> Keyring
>  219457014 --alswrv   1000 65534  keyring: _uid_ses.1000
>  105956722 --alswrv   1000 65534   \_ keyring: _uid.1000
> -> User Session Keyring (_uid_ses.<UID>) linked to User Keyring (_uid.<UID>)
>    User Keyring is identical with User Keyring in ssh
> 
> xterm:
> Keyring
>  633373159 --alswrv   1000   100  keyring: _ses
>  105956722 --alswrv   1000 65534   \_ keyring: _uid.1000
> 
> All three share the same "user keyring" with ID 105956722!
> This is the single keyring the kernel maintains for the user ID 1000.
> 

Your question was about session keyring, not about user keyring.

>> so now there are two session keyrings, some of processes (that for all
>> practical purposes *do* belong to the same user session) are attached to
>> one keyring, some to the other. Which makes it impossible to actually
>> use session keyring to share keys.
> 
> If keys are attached to the "user keyring", then, indeed, they can (and
> will) be shared as shown above!
> 

And? That's what you have been told from the very beginning.
...
> 
> TL;DR
> The addition of "session optional pam_keyinit.so force revoke" to
> /etc/pam.d/systemd-user seems to fix my problem.

At this point I lost track what problem you solve. You still have two
processes in user login session (graphical environment) that attach
different session keyring.

To quote:

"We have seen this problem: when you open a gnome-terminal, then the
shell in that terminal will not have the same keyring (created by
pam_keyinit.so) as the one eg in an xterm."

Adding pam_keyring.so to systemd-user pam configuration does *not* fix
it in any way.

> The only question which
> remains is if this has any adverse consequences.
>

You cannot use session keyring to share keys between processes that user
thinks as belonging to the same (login) session.


More information about the systemd-devel mailing list