On Mon, Jul 22, 2024 at 2:15 PM Nikita Krasnov <nikita.nikita.krasnov@xxxxxxxxx> wrote: > > Well, both actually. If that's possible, I would prefer to keep my > service files intact (some of them are inside > "/usr/lib/systemd/system" and some are inside "/usr/lib/systemd/user") > and only alter the one that creates the key inside the keyring. The > directory is decrypted transparently if the key is present inside the > keyring. I would like to keep this behavior. > For user services the default (KeyringMode=inherit) should just work. For system services - I do not know. Putting systemd aside - how is it possible to add a key that is accessible by any other process on the system? > Offtopic. Should I use "Reply All" or "Reply" to answer to messages on > this list? Sorry if I accidentally pinged a lot of people right now or > created a new thread, I'm new on this mailing list. > I personally do not care :) > > пн, 22 июл. 2024 г. в 13:42, Andrei Borzenkov <arvidjaar@xxxxxxxxx>: > > > > > On Mon, Jul 22, 2024 at 12:18 PM Nikita Krasnov > > <nikita.nikita.krasnov@xxxxxxxxx> wrote: > > > > > > I am working with kernel keyring (`e4crypt` tool stores its keys there). The end goal, basically, is there is one service that decrypts a folder (creates a key in the kernel keyring) and then every service has access to that key, thus having access to the encrypted folder. > > > > > > > Are you talking about system or user services? > > > > > For some reason systemd doesn't share kernel keyrings between services. Service A launches a script that creates a key and then it's nowhere to be found inside service B (running `keyctl show` there doesn't show the key). > > > > > > I've tried running `keyctl setperm $KEY_ID 0x3f3f3f3f` (giving everyone all writes to the key) but to no avail. > > > > > > I've found systemd has a `KeyringMode=shared` option, so I've added `User=root` and `KeyringMode=shared` to both A and B service files. Unfortunately, this had no effect. The keyring of service B is still empty when it launches. > > > > > > Running `keyctl show` inside A and B gives this. Service A output: > > > ``` > > > Session Keyring > > > 275477083 --alswrv 0 0 keyring: _ses > > > 511348864 ----s-rv 0 0 \_ user: invocation_id > > > 916643668 --alswrv 0 0 \_ logon: ext4:018b44e44e88466a > > > ``` > > > > > > Service B output: > > > ``` > > > Session Keyring > > > 922937713 --alswrv 100000 100000 keyring: _ses > > > 91724620 --alswrv 100000 65534 \_ keyring: _uid.100000 > > > ``` > > > > > > This output is when not using `User=root` and `KeyringMode=shared` since adding this to every service file isn't feasible (and I also can't have everything running as root). > > > > > > -- > > > Sincerely, Nikita Krasnov
Re: Sharing kernel keyring between systemd services
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Sharing kernel keyring between systemd services
- From: Andrei Borzenkov <arvidjaar@xxxxxxxxx>
- Date: Mon, 22 Jul 2024 14:38:06 +0300
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CACW661sM1BYVLJCmsNjQjz1vsX-eUDd6ckiE9Q=x6LaA21vYdw@mail.gmail.com>
- References: <CACW661v649_OfPSBpO3fOmCK-FxbEWZJ8tav0DJBdOBP+EEZxA@mail.gmail.com> <CAA91j0XmTbKORt+cGDBSUqe2uTKpedn7kSc8UsLZnVscq9Hu7A@mail.gmail.com> <CACW661sM1BYVLJCmsNjQjz1vsX-eUDd6ckiE9Q=x6LaA21vYdw@mail.gmail.com>
- References:
- Sharing kernel keyring between systemd services
- From: Nikita Krasnov
- Re: Sharing kernel keyring between systemd services
- From: Andrei Borzenkov
- Re: Sharing kernel keyring between systemd services
- From: Nikita Krasnov
- Sharing kernel keyring between systemd services
- Prev by Date: Re: Sharing kernel keyring between systemd services
- Next by Date: systemd accepts fix to stable releases
- Previous by thread: Re: Sharing kernel keyring between systemd services
- Next by thread: Re: Sharing kernel keyring between systemd services
- Index(es):
 |