Oh damn! Yes. It worked! So, my next question would be "how to avoid it?" To expand a bit more: I want to make these passwords inaccessible outside the systemd service even by that USER. (or does it sound something contradictory?) Regards, Dinesh On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote: > It's probably exactly that, you are running the keyctl in a > subprocess and that's why the key is not available in your logon > session. Let's reproduce the issue shall we. > > First create a key for the user in a separate login session: > [uglymotha@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla > @u > 268450157 > > We have no access to the key > [uglymotha@rdsan01 ~]$ keyctl print 268450157 > keyctl_read_alloc: Permission denied > > Because it was added in another session and our current session is > not linked to my user keyring, this does not (always) happen > automatically on login. > [uglymotha@rdsan01 ~]$ keyctl show @u > Keyring > 1004152344 --alswrv 11109 65534 keyring: _uid.11109 > 268450157 --alswrv 11109 10513 \_ user: bla > > The current session keyring is still empty > [uglymotha@rdsan01 ~]$ keyctl show @s > Keyring > 611271066 --alswrv 0 0 keyring: _ses > > So link the user keyring to our current session keyring > [uglymotha@rdsan01 ~]$ keyctl link @u @s > > And we have access to the key. > [uglymotha@rdsan01 ~]$ keyctl show @s > Keyring > 611271066 --alswrv 0 0 keyring: _ses > 1004152344 --alswrv 11109 65534 \_ keyring: _uid.11109 > 268450157 --alswrv 11109 10513 \_ user: bla > [uglymotha@rdsan01 ~]$ keyctl print 268450157 > bla > [uglymotha@rdsan01 ~]$ keyctl unlink @u @s > [uglymotha@rdsan01 ~]$ keyctl print 268450157 > keyctl_read_alloc: Permission denied > > -Sietse > > -----Original Message----- > From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@xxxxxxxxxx> > Sent: Thursday, 6 December, 2018 23:21 > To: Sietse van Zanen <sietse@xxxxxxxxx>; > systemd-devel@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Systemd and kernel keyring > > Hi Sietse, > > I tried doing that, but I wasn't able to link it: > > [pkiuser@localhost] $ keyctl show @u > Keyring > 461086211 --alswrv 17 65534 keyring: _uid.3 > 189019025 --alswrv 17 17 \_ user: nuxwdog:user > [pkiuser@localhost] $ keyctl link 189019025 @s > keyctl_link: Permission denied > > > I achieve 2 by doing a subprocess call that runs `keyctl add user > <key > Desc> <password> @u` > > Regards, > Dinesh > > On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote: > > Hi Dinesh, > > > > Did you do a 'keyctl link @us @s' after logging in? > > > > And could you tell me how you aceive 2. Because according to > > documentation it is not possible to have systemd-ask-password > > insert a > > key into a users keylist: > > --keyname= > > Configure a kernel keyring key name to use as cache for > > the > > password. If set, then the tool will try to push any collected > > passwords into the > > kernel keyring of the root user > > > > -Sietse > > ________________________________________ > > From: systemd-devel <systemd-devel-bounces@xxxxxxxxxxxxxxxxxxxxx> > > on > > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < > > dmoluguw@xxxxxxxxxx> > > Sent: Thursday, December 6, 2018 04:11 > > To: systemd-devel@xxxxxxxxxxxxxxxxxxxxx > > Subject: Systemd and kernel keyring > > > > Hi team, > > > > I'm working on accessing kernel keyring in my application started > > using systemd. > > > > The list of steps I'm doing: > > > > 1. Starting a systemd service with `KeyringMode=shared` as a > > SPECIFIC > > USER 2. In the `ExecStartPre`, I'm launching a subprocess that > > invokes > > `systemd-ask-password` to accept the input and store it in the > > USER's > > kernel keyring 3. In the main program started using `ExecStart`, > > I'm > > accessing the value stored in the keyring > > > > I'm able to access the values from my main program -- everything > > works > > as expected! When I try to login as that specific user and do a > > `keyctl show @u`, I find the entry. > > > > However, when I try to do `keyctl print <keyID>`, it throws > > "Permission Denied" error. IIUC, this protects the keys in the > > keyring > > from accessing outside the systemd service. Is it the desired > > behaviour? > > > > I have the sample systemd unit file available in [1]. > > > > [1] > > > > https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service > > > > Thanks, > > Dinesh > > > > _______________________________________________ > > systemd-devel mailing list > > systemd-devel@xxxxxxxxxxxxxxxxxxxxx > > https://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Systemd and kernel keyring
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Systemd and kernel keyring
- From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@xxxxxxxxxx>
- Date: Fri, 07 Dec 2018 11:47:16 -0800
- In-reply-to: <89b2143b0b0e41f0b6824146b3d5cc0c@wizdom.nu>
- References: <88e3d1e6a9633132d4a08f1bb6c4e40939b68154.camel@redhat.com> <b46d950dc95649b0a4e835c63e824393@wizdom.nu> <361846dffcf33e8fe542537fee718a38733bc6c9.camel@redhat.com> <89b2143b0b0e41f0b6824146b3d5cc0c@wizdom.nu>
- Follow-Ups:
- Re: Systemd and kernel keyring
- From: Mantas Mikulėnas
- Re: Systemd and kernel keyring
- From: Sietse van Zanen
- Re: Systemd and kernel keyring
- References:
- Systemd and kernel keyring
- From: Dinesh Prasanth Moluguwan Krishnamoorthy
- Re: Systemd and kernel keyring
- From: Sietse van Zanen
- Re: Systemd and kernel keyring
- From: Dinesh Prasanth Moluguwan Krishnamoorthy
- Re: Systemd and kernel keyring
- From: Sietse van Zanen
- Systemd and kernel keyring
- Prev by Date: Re: Systemd and kernel keyring
- Next by Date: Re: Systemd and kernel keyring
- Previous by thread: Re: Systemd and kernel keyring
- Next by thread: Re: Systemd and kernel keyring
- Index(es):
 |