[systemd-devel] keyrings and dbus

Lennart Poettering lennart at poettering.net
Mon Jun 17 18:25:35 UTC 2019


On Di, 11.06.19 12:07, Josef Moellers (jmoellers at suse.de) wrote:

> Hi,
>
> We have seen this problem: when you open a gnome-terminal, then the
> shell in that terminal will not have the same keyring (created by
> pam_keyinit.so) as the one eg in an xterm. This is due to the fact that
> the xterm ist started by the standard fork/exec mechanism which passes
> the keyring down to the children and the gnome-teminal (actually
> gnome-terminal-server) is started by sending a dbus message to some
> instance which the starts the terminal process.
>
> AAMOF the gnome-terminal does not even have a keyring, so if one asks
> for it ("keyctl show @s"), it is created on the fly. This causes the
> kernel to create a keyring as a "user session keyring" while the GNOME
> session (and thus the xterm) has a "session keyring".
>
> Has anyone seen this and/or, most important question, does anyone have
> an idea how to solve this?
>
> I know that, strictly speaking, this is not a systemd question, but
> we're trying to probe many sources to see if anyone has a solution.

So, I think you found most of this out already, but the "session"
keyring concept is not particularly useful in today's world where
desktops run with a per-user systemd instance of which most apps are
forked off. Just don't bother with session keyrings besides ensuring
they are propery created. Make sure that every PAM session comes with
pam_keyinit configured, so that they all get their own keyring
properly hooked up (and that includes the PAM session systemd --user
runs as) but other then that, don't make use of it, as it makes no
sense in a world where every session of the same user shares the same
service manager that does not inherit process attributes from the
user's original login session.

Note that usually the user keyring ends up being linked into the
session keyring (if pam_keyinit is properly set up), and hence if some
code does request_key() to find a key it will end up being searched,
hence, if you just insert your keys into the user keyring, then
everything should be great as long as the keyrings are correctly
linked up. Never insert keys into the session keyring though, because
then your other sessions and everything forked off the systemd user
instance won't find it.

I wished they had substantially dumbed down the keyring system. With
all these keyrings that do not make much sense in the actual real-life
world they pretty much created a monster.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list