[systemd-devel] keyrings and dbus
Andrei Borzenkov
arvidjaar at gmail.com
Thu Jun 13 10:18:35 UTC 2019
13.06.2019 11:11, Josef Moellers пишет:
> On 12.06.19 17:34, Andrei Borzenkov wrote:
...
>>
>> If I add pam_keyinit to systemd-user, I do get session keyring for gnome
>> terminal, but this is really wrong one:
>>
>> bor at 10:~> cat /proc/keys
>> 2133e406 I--Q--- 2 perm 1f3f0000 1000 65534 keyring _uid.1000: empty
>> 2aeff9b2 I--Q--- 67 perm 3f030000 1000 100 keyring _ses: 1
>> 3c18175c I--Q--- 93 perm 3f030000 1000 100 keyring _ses: 1
>> bor at 10:~> keyctl show -x
>> Session Keyring
>> 0x2aeff9b2 --alswrv 1000 100 keyring: _ses
>> 0x2133e406 --alswrv 1000 65534 \_ keyring: _uid.1000
>> bor at 10:~>
>
> Not really ... if you look at the keyring IDs (in the first column) eg
> in a gnome-terminal and in an xterm, you will see that both session
> keyrings (the "session keyring" in the xterm and the "user session
> keyring" in the gnome-terminal) link to the very same "user keyring":
>
I did not say "user keyring", I said "session keyring". Session keyring
is different.
bor at 10:~> keyctl show -x
Session Keyring
0x21a25f31 --alswrv 1000 65534 keyring: _uid_ses.1000
0x25f5781a --alswrv 1000 65534 \_ keyring: _uid.1000
bor at 10:~>
bor at 10:~> keyctl show -x
Session Keyring
0x279c03fc --alswrv 1000 100 keyring: _ses
0x25f5781a --alswrv 1000 65534 \_ keyring: _uid.1000
bor at 10:~>
> Leap-15.1:
> ssh:
> Keyring
> 69871887 --alswrv 1000 100 keyring: _ses
> 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000
> -> Session Keyring (_ses) linked to User Keyring (_uid.<UID>)
>
> gnome-terminal(-server):
> Keyring
> 219457014 --alswrv 1000 65534 keyring: _uid_ses.1000
> 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000
> -> User Session Keyring (_uid_ses.<UID>) linked to User Keyring (_uid.<UID>)
> User Keyring is identical with User Keyring in ssh
>
> xterm:
> Keyring
> 633373159 --alswrv 1000 100 keyring: _ses
> 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000
>
> All three share the same "user keyring" with ID 105956722!
> This is the single keyring the kernel maintains for the user ID 1000.
>
Your question was about session keyring, not about user keyring.
>> so now there are two session keyrings, some of processes (that for all
>> practical purposes *do* belong to the same user session) are attached to
>> one keyring, some to the other. Which makes it impossible to actually
>> use session keyring to share keys.
>
> If keys are attached to the "user keyring", then, indeed, they can (and
> will) be shared as shown above!
>
And? That's what you have been told from the very beginning.
...
>
> TL;DR
> The addition of "session optional pam_keyinit.so force revoke" to
> /etc/pam.d/systemd-user seems to fix my problem.
At this point I lost track what problem you solve. You still have two
processes in user login session (graphical environment) that attach
different session keyring.
To quote:
"We have seen this problem: when you open a gnome-terminal, then the
shell in that terminal will not have the same keyring (created by
pam_keyinit.so) as the one eg in an xterm."
Adding pam_keyring.so to systemd-user pam configuration does *not* fix
it in any way.
> The only question which
> remains is if this has any adverse consequences.
>
You cannot use session keyring to share keys between processes that user
thinks as belonging to the same (login) session.
More information about the systemd-devel
mailing list