Re: Systemd and kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

In that case you cannot use the user keyring, as any key there will always be available to the user. You will either need to use the process keyring, or the session keyring for your service.

-Sietse

________________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@xxxxxxxxxx>
Sent: Friday, December 7, 2018 20:47
To: Sietse van Zanen; systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Systemd and kernel keyring

Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
>
> First create a key for the user in a separate login session:
> [uglymotha@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
>
> We have no access to the key
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [uglymotha@rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv  11109 65534  keyring: _uid.11109
>  268450157 --alswrv  11109 10513   \_ user: bla
>
> The current session keyring is still empty
> [uglymotha@rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
>
> So link the user keyring to our current session keyring
> [uglymotha@rdsan01 ~]$ keyctl link @u @s
>
> And we have access to the key.
> [uglymotha@rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv      0     0  keyring: _ses
> 1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
>  268450157 --alswrv  11109 10513       \_ user: bla
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> bla
> [uglymotha@rdsan01 ~]$ keyctl unlink @u @s
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> -Sietse
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@xxxxxxxxxx>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <sietse@xxxxxxxxx>;
> systemd-devel@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [pkiuser@localhost]  $ keyctl show @u
> Keyring
>  461086211 --alswrv     17 65534  keyring: _uid.3
>  189019025 --alswrv     17    17   \_ user: nuxwdog:user
> [pkiuser@localhost]  $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> >   --keyname=
> >             Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> >             kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-bounces@xxxxxxxxxxxxxxxxxxxxx>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > dmoluguw@xxxxxxxxxx>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
> > Subject:  Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux