On Fri, 2020-05-15 at 12:34 -0700, James Bottomley wrote: > On Fri, 2020-05-15 at 12:17 -0700, Jerry Snitselaar wrote: > > On Fri May 15 20, Jarkko Sakkinen wrote: > > > On Thu, May 14, 2020 at 08:44:23PM -0700, James Bottomley wrote: > > > > On Fri, 2020-05-15 at 05:22 +0300, Jarkko Sakkinen wrote: > > [...] > > > > > sudo ./keyctl-smoke.sh > > > > > 566201053 (0x80000000) > > > > > keyctl_read_alloc: Permission denied > > > > I get keyctl_read_alloc -EPERM when I 'sudo su' and try to play > > with > > keyctl print. > > If I 'sudo su -' and then try it works as expected. Also works for > > normal user. > > OK, I confirm on debian as well. If I create a key as real root and > then try to sudo su keyctl pipe it as an ordinary user, I get EPERM. > > It smells like a cockup in real vs effective permissions somewhere in > the keyctl handler. OK, so the problem is sudo keyctl list @s Still shows the session keys of the previous user that causes sudo keyctl show on a root owned key to fail the is_key_possessed() check, returning -EACCESS which gets translated to EPERM if you do sudo su - Then keyctl list @s shows the root session keyring and everything works I think that means the solution is not to run the smoke test under sudo but to do sudo -s and then run it. James
