Discussion:
Systemd and kernel keyring
(too old to reply)
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-06 03:11:30 UTC
Permalink
Hi team,

I'm working on accessing kernel keyring in my application started using
systemd.

The list of steps I'm doing:

1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring

I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
show @u`, I find the entry.

However, when I try to do `keyctl print <keyID>`, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?

I have the sample systemd unit file available in [1].

[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service

Thanks,
Dinesh
Sietse van Zanen
2018-12-06 11:57:10 UTC
Permalink
Hi Dinesh,

Did you do a 'keyctl link @us @s' after logging in?

And could you tell me how you aceive 2. Because according to documentation it is not possible to have systemd-ask-password insert a key into a users keylist:
--keyname=
Configure a kernel keyring key name to use as cache for the password. If set, then the tool will try to push any collected passwords into the
kernel keyring of the root user

-Sietse
________________________________________
From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
Sent: Thursday, December 6, 2018 04:11
To: systemd-***@lists.freedesktop.org
Subject: [systemd-devel] Systemd and kernel keyring

Hi team,

I'm working on accessing kernel keyring in my application started using
systemd.

The list of steps I'm doing:

1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring

I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
show @u`, I find the entry.

However, when I try to do `keyctl print <keyID>`, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?

I have the sample systemd unit file available in [1].

[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service

Thanks,
Dinesh

_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Bruno Vernay
2018-12-06 13:03:15 UTC
Permalink
I wanted to de some kind of tutorial (
https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring)
on the subject, but I don't find a lot of resources (apart from "reference
documentation")

This might be helpful: https://mjg59.dreamwidth.org/37333.html


On Thu, Dec 6, 2018 at 12:57 PM Sietse van Zanen <***@wizdom.nu> wrote:

> Hi Dinesh,
>
> Did you do a 'keyctl link @us @s' after logging in?
>
> And could you tell me how you aceive 2. Because according to documentation
> it is not possible to have systemd-ask-password insert a key into a users
> keylist:
> --keyname=
> Configure a kernel keyring key name to use as cache for the
> password. If set, then the tool will try to push any collected passwords
> into the
> kernel keyring of the root user
>
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-***@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
>
> Hi team,
>
> I'm working on accessing kernel keyring in my application started using
> systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER
> 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring
> 3. In the main program started using `ExecStart`, I'm accessing the
> value stored in the keyring
>
> I'm able to access the values from my main program -- everything works
> as expected! When I try to login as that specific user and do a `keyctl
> show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws "Permission
> Denied" error. IIUC, this protects the keys in the keyring from
> accessing outside the systemd service. Is it the desired behaviour?
>
> I have the sample systemd unit file available in [1].
>
> [1]
>
> https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
>
> Thanks,
> Dinesh
>
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>


--
Bruno VERNAY
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-06 22:20:56 UTC
Permalink
Hi Sietse,

I tried doing that, but I wasn't able to link it:

[***@localhost] $ keyctl show @u
Keyring
461086211 --alswrv 17 65534 keyring: _uid.3
189019025 --alswrv 17 17 \_ user: nuxwdog:user
[***@localhost] $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user <key
Desc> <password> @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
>
> Did you do a 'keyctl link @us @s' after logging in?
>
> And could you tell me how you aceive 2. Because according to
> documentation it is not possible to have systemd-ask-password insert
> a key into a users keylist:
> --keyname=
> Configure a kernel keyring key name to use as cache for
> the password. If set, then the tool will try to push any collected
> passwords into the
> kernel keyring of the root user
>
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> ***@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-***@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
>
> Hi team,
>
> I'm working on accessing kernel keyring in my application started
> using
> systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER
> 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring
> 3. In the main program started using `ExecStart`, I'm accessing the
> value stored in the keyring
>
> I'm able to access the values from my main program -- everything
> works
> as expected! When I try to login as that specific user and do a
> `keyctl
> show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws
> "Permission
> Denied" error. IIUC, this protects the keys in the keyring from
> accessing outside the systemd service. Is it the desired behaviour?
>
> I have the sample systemd unit file available in [1].
>
> [1]
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
>
> Thanks,
> Dinesh
>
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Sietse van Zanen
2018-12-07 10:09:54 UTC
Permalink
Dinesh,

That's linking the key to the session keyring. Also because you're adding keys in a subprocess you do need to take care with setting correct permissions on the key.

What does keyctl show @us say?

-Sietse


-----Original Message-----
From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen <***@wizdom.nu>; systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[***@localhost] $ keyctl show @u
Keyring
461086211 --alswrv 17 65534 keyring: _uid.3
189019025 --alswrv 17 17 \_ user: nuxwdog:user
[***@localhost] $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user <key
Desc> <password> @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
>
> Did you do a 'keyctl link @us @s' after logging in?
>
> And could you tell me how you aceive 2. Because according to
> documentation it is not possible to have systemd-ask-password insert a
> key into a users keylist:
> --keyname=
> Configure a kernel keyring key name to use as cache for the
> password. If set, then the tool will try to push any collected
> passwords into the
> kernel keyring of the root user
>
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> ***@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-***@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
>
> Hi team,
>
> I'm working on accessing kernel keyring in my application started
> using systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring 3. In the main program started using `ExecStart`, I'm
> accessing the value stored in the keyring
>
> I'm able to access the values from my main program -- everything works
> as expected! When I try to login as that specific user and do a
> `keyctl show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws
> "Permission Denied" error. IIUC, this protects the keys in the keyring
> from accessing outside the systemd service. Is it the desired
> behaviour?
>
> I have the sample systemd unit file available in [1].
>
> [1]
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
>
> Thanks,
> Dinesh
>
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-07 19:10:54 UTC
Permalink
[***@localhost] $ keyctl show @us
Keyring
863455739 --alswrv 17 65534 keyring: _uid_ses.17

[***@localhost] $ keyctl show @u
Keyring
461086211 --alswrv 17 65534 keyring: _uid.17
722174553 --alswrv 17 17 \_ user: nuxwdog:user

[***@localhost] $ keyctl link @u @s

[***@localhost] $ keyctl show @us
Keyring
863455739 --alswrv 17 65534 keyring: _uid_ses.17

Regards,
Dinesh

On Fri, 2018-12-07 at 10:09 +0000, Sietse van Zanen wrote:
> Dinesh,
>
> That's linking the key to the session keyring. Also because you're
> adding keys in a subprocess you do need to take care with setting
> correct permissions on the key.
>
> What does keyctl show @us say?
>
> -Sietse
>
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <***@wizdom.nu>;
> systemd-***@lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [***@localhost] $ keyctl show @u
> Keyring
> 461086211 --alswrv 17 65534 keyring: _uid.3
> 189019025 --alswrv 17 17 \_ user: nuxwdog:user
> [***@localhost] $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> > --keyname=
> > Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> > kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-***@lists.freedesktop.org>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > ***@redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-***@lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-***@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-07 19:17:10 UTC
Permalink
Sorry, I take my previous message back.

[***@localhost] $ keyctl show @us
Keyring
489278924 --alswrv 17 65534 keyring: _uid_ses.17
597101514 --alswrv 17 65534 \_ keyring: _uid.17
832804872 --alswrv 17 17 \_ user: nuxwdog:user

Regards,
Dinesh

On Fri, 2018-12-07 at 11:10 -0800, Dinesh Prasanth Moluguwan
Krishnamoorthy wrote:
> [***@localhost] $ keyctl show @us
> Keyring
> 863455739 --alswrv 17 65534 keyring: _uid_ses.17
>
> [***@localhost] $ keyctl show @u
> Keyring
> 461086211 --alswrv 17 65534 keyring: _uid.17
> 722174553 --alswrv 17 17 \_ user: nuxwdog:user
>
> [***@localhost] $ keyctl link @u @s
>
> [***@localhost] $ keyctl show @us
> Keyring
> 863455739 --alswrv 17 65534 keyring: _uid_ses.17
>
> Regards,
> Dinesh
>
> On Fri, 2018-12-07 at 10:09 +0000, Sietse van Zanen wrote:
> > Dinesh,
> >
> > That's linking the key to the session keyring. Also because you're
> > adding keys in a subprocess you do need to take care with setting
> > correct permissions on the key.
> >
> > What does keyctl show @us say?
> >
> > -Sietse
> >
> >
> > -----Original Message-----
> > From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com
> > >
> > Sent: Thursday, 6 December, 2018 23:21
> > To: Sietse van Zanen <***@wizdom.nu>;
> > systemd-***@lists.freedesktop.org
> > Subject: Re: [systemd-devel] Systemd and kernel keyring
> >
> > Hi Sietse,
> >
> > I tried doing that, but I wasn't able to link it:
> >
> > [***@localhost] $ keyctl show @u
> > Keyring
> > 461086211 --alswrv 17 65534 keyring: _uid.3
> > 189019025 --alswrv 17 17 \_ user: nuxwdog:user
> > [***@localhost] $ keyctl link 189019025 @s
> > keyctl_link: Permission denied
> >
> >
> > I achieve 2 by doing a subprocess call that runs `keyctl add user
> > <key
> > Desc> <password> @u`
> >
> > Regards,
> > Dinesh
> >
> > On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > > Hi Dinesh,
> > >
> > > Did you do a 'keyctl link @us @s' after logging in?
> > >
> > > And could you tell me how you aceive 2. Because according to
> > > documentation it is not possible to have systemd-ask-password
> > > insert a
> > > key into a users keylist:
> > > --keyname=
> > > Configure a kernel keyring key name to use as cache
> > > for
> > > the
> > > password. If set, then the tool will try to push any collected
> > > passwords into the
> > > kernel keyring of the root user
> > >
> > > -Sietse
> > > ________________________________________
> > > From: systemd-devel <systemd-devel-***@lists.freedesktop.org>
> > > on
> > > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > > ***@redhat.com>
> > > Sent: Thursday, December 6, 2018 04:11
> > > To: systemd-***@lists.freedesktop.org
> > > Subject: [systemd-devel] Systemd and kernel keyring
> > >
> > > Hi team,
> > >
> > > I'm working on accessing kernel keyring in my application
> > > started
> > > using systemd.
> > >
> > > The list of steps I'm doing:
> > >
> > > 1. Starting a systemd service with `KeyringMode=shared` as a
> > > SPECIFIC
> > > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > > invokes
> > > `systemd-ask-password` to accept the input and store it in the
> > > USER's
> > > kernel keyring 3. In the main program started using `ExecStart`,
> > > I'm
> > > accessing the value stored in the keyring
> > >
> > > I'm able to access the values from my main program -- everything
> > > works
> > > as expected! When I try to login as that specific user and do a
> > > `keyctl show @u`, I find the entry.
> > >
> > > However, when I try to do `keyctl print <keyID>`, it throws
> > > "Permission Denied" error. IIUC, this protects the keys in the
> > > keyring
> > > from accessing outside the systemd service. Is it the desired
> > > behaviour?
> > >
> > > I have the sample systemd unit file available in [1].
> > >
> > > [1]
> > >
> >
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> > >
> > > Thanks,
> > > Dinesh
> > >
> > > _______________________________________________
> > > systemd-devel mailing list
> > > systemd-***@lists.freedesktop.org
> > > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> >
> >
Sietse van Zanen
2018-12-07 11:36:25 UTC
Permalink
It's probably exactly that, you are running the keyctl in a subprocess and that's why the key is not available in your logon session. Let's reproduce the issue shall we.

First create a key for the user in a separate login session:
[***@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla @u
268450157

We have no access to the key
[***@rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

Because it was added in another session and our current session is not linked to my user keyring, this does not (always) happen automatically on login.
[***@rdsan01 ~]$ keyctl show @u
Keyring
1004152344 --alswrv 11109 65534 keyring: _uid.11109
268450157 --alswrv 11109 10513 \_ user: bla

The current session keyring is still empty
[***@rdsan01 ~]$ keyctl show @s
Keyring
611271066 --alswrv 0 0 keyring: _ses

So link the user keyring to our current session keyring
[***@rdsan01 ~]$ keyctl link @u @s

And we have access to the key.
[***@rdsan01 ~]$ keyctl show @s
Keyring
611271066 --alswrv 0 0 keyring: _ses
1004152344 --alswrv 11109 65534 \_ keyring: _uid.11109
268450157 --alswrv 11109 10513 \_ user: bla
[***@rdsan01 ~]$ keyctl print 268450157
bla
[***@rdsan01 ~]$ keyctl unlink @u @s
[***@rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

-Sietse

-----Original Message-----
From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen <***@wizdom.nu>; systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[***@localhost]  $ keyctl show @u
Keyring
 461086211 --alswrv     17 65534  keyring: _uid.3
 189019025 --alswrv     17    17   \_ user: nuxwdog:user
[***@localhost]  $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user <key
Desc> <password> @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
>
> Did you do a 'keyctl link @us @s' after logging in?
>
> And could you tell me how you aceive 2. Because according to
> documentation it is not possible to have systemd-ask-password insert a
> key into a users keylist:
>  --keyname=
>            Configure a kernel keyring key name to use as cache for the
> password. If set, then the tool will try to push any collected
> passwords into the
>            kernel keyring of the root user
>
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> ***@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-***@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
>
> Hi team,
>
> I'm working on accessing kernel keyring in my application started
> using systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring 3. In the main program started using `ExecStart`, I'm
> accessing the value stored in the keyring
>
> I'm able to access the values from my main program -- everything works
> as expected! When I try to login as that specific user and do a
> `keyctl show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws
> "Permission Denied" error. IIUC, this protects the keys in the keyring
> from accessing outside the systemd service. Is it the desired
> behaviour?
>
> I have the sample systemd unit file available in [1].
>
> [1]
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
>
> Thanks,
> Dinesh
>
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-07 19:47:16 UTC
Permalink
Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
>
> First create a key for the user in a separate login session:
> [***@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
>
> We have no access to the key
> [***@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [***@rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv 11109 65534 keyring: _uid.11109
> 268450157 --alswrv 11109 10513 \_ user: bla
>
> The current session keyring is still empty
> [***@rdsan01 ~]$ keyctl show @s
> Keyring
> 611271066 --alswrv 0 0 keyring: _ses
>
> So link the user keyring to our current session keyring
> [***@rdsan01 ~]$ keyctl link @u @s
>
> And we have access to the key.
> [***@rdsan01 ~]$ keyctl show @s
> Keyring
> 611271066 --alswrv 0 0 keyring: _ses
> 1004152344 --alswrv 11109 65534 \_ keyring: _uid.11109
> 268450157 --alswrv 11109 10513 \_ user: bla
> [***@rdsan01 ~]$ keyctl print 268450157
> bla
> [***@rdsan01 ~]$ keyctl unlink @u @s
> [***@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> -Sietse
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <***@wizdom.nu>;
> systemd-***@lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [***@localhost] $ keyctl show @u
> Keyring
> 461086211 --alswrv 17 65534 keyring: _uid.3
> 189019025 --alswrv 17 17 \_ user: nuxwdog:user
> [***@localhost] $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> > --keyname=
> > Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> > kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-***@lists.freedesktop.org>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > ***@redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-***@lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-***@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Bruno Vernay
2018-12-10 14:59:04 UTC
Permalink
Right when I feel I started to better understand Possession and Keyrings, I
had this:
> keyctl describe 14242397
14242397: alsw-v------------------ 1002 100 user: keyInUsr
> keyctl print 14242397
mySecret-1

How can I read a key when no one has read rights? Is there some caching
going on? Some refresh only occurring on certain conditions ??
Or am I missing something?

Regards
Bruno


On Mon, Dec 10, 2018 at 12:55 PM Mantas Mikulėnas <***@gmail.com> wrote:

> On Fri, Dec 7, 2018 at 9:47 PM Dinesh Prasanth Moluguwan Krishnamoorthy <
> ***@redhat.com> wrote:
>
>> Oh damn! Yes. It worked!
>>
>> So, my next question would be "how to avoid it?"
>>
>> To expand a bit more:
>>
>> I want to make these passwords inaccessible outside the systemd service
>> even by that USER. (or does it sound something contradictory?)
>>
>> Regards,
>> Dinesh
>>
>
> It does sound contradictory; it rarely makes sense to isolate the user
> from themselves.
>
> It might be *possible* to set the key's permissions such that only the
> "possessor" has full permissions, but the "uid/gid/other" have none. (e.g. keyctl
> setperm <id> 0x3f000000).
>
> --
> Mantas Mikulėnas
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>


--
Bruno VERNAY
Sietse van Zanen
2018-12-10 10:21:53 UTC
Permalink
I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

In that case you cannot use the user keyring, as any key there will always be available to the user. You will either need to use the process keyring, or the session keyring for your service.

-Sietse

________________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
Sent: Friday, December 7, 2018 20:47
To: Sietse van Zanen; systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
>
> First create a key for the user in a separate login session:
> [***@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
>
> We have no access to the key
> [***@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [***@rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv 11109 65534 keyring: _uid.11109
> 268450157 --alswrv 11109 10513 \_ user: bla
>
> The current session keyring is still empty
> [***@rdsan01 ~]$ keyctl show @s
> Keyring
> 611271066 --alswrv 0 0 keyring: _ses
>
> So link the user keyring to our current session keyring
> [***@rdsan01 ~]$ keyctl link @u @s
>
> And we have access to the key.
> [***@rdsan01 ~]$ keyctl show @s
> Keyring
> 611271066 --alswrv 0 0 keyring: _ses
> 1004152344 --alswrv 11109 65534 \_ keyring: _uid.11109
> 268450157 --alswrv 11109 10513 \_ user: bla
> [***@rdsan01 ~]$ keyctl print 268450157
> bla
> [***@rdsan01 ~]$ keyctl unlink @u @s
> [***@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> -Sietse
>
> -----Original Message-----
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen <***@wizdom.nu>;
> systemd-***@lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [***@localhost] $ keyctl show @u
> Keyring
> 461086211 --alswrv 17 65534 keyring: _uid.3
> 189019025 --alswrv 17 17 \_ user: nuxwdog:user
> [***@localhost] $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
> <key
> Desc> <password> @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +0000, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> > --keyname=
> > Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> > kernel keyring of the root user
> >
> > -Sietse
> > ________________________________________
> > From: systemd-devel <systemd-devel-***@lists.freedesktop.org>
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > ***@redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-***@lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring
> > from accessing outside the systemd service. Is it the desired
> > behaviour?
> >
> > I have the sample systemd unit file available in [1].
> >
> > [1]
> >
>
>
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> >
> > Thanks,
> > Dinesh
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-***@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart Poettering
2018-12-06 13:38:49 UTC
Permalink
On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (***@redhat.com) wrote:

> Hi team,
>
> I'm working on accessing kernel keyring in my application started using
> systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER
> 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring
> 3. In the main program started using `ExecStart`, I'm accessing the
> value stored in the keyring
>
> I'm able to access the values from my main program -- everything works
> as expected! When I try to login as that specific user and do a `keyctl
> show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws "Permission
> Denied" error. IIUC, this protects the keys in the keyring from
> accessing outside the systemd service. Is it the desired behaviour?

Hmm, maybe use "keyctl list @u" to see the key and its access mode?

Lennart

--
Lennart Poettering, Red Hat
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-06 22:37:52 UTC
Permalink
Hi Lennart,

[***@localhost] $ keyctl list @u
1 key in keyring:
114920030: --alswrv 17 17 user: nuxwdog:user

That's the attrs of the created key.I'm not sure how to read these
attributes, though.

Regards,
Dinesh

On Thu, 2018-12-06 at 14:38 +0100, Lennart Poettering wrote:
> On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (
> ***@redhat.com) wrote:
>
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using
> > systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER
> > 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring
> > 3. In the main program started using `ExecStart`, I'm accessing the
> > value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expected! When I try to login as that specific user and do a
> > `keyctl
> > show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission
> > Denied" error. IIUC, this protects the keys in the keyring from
> > accessing outside the systemd service. Is it the desired behaviour?
>
> Hmm, maybe use "keyctl list @u" to see the key and its access mode?
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
Sietse van Zanen
2018-12-07 10:00:22 UTC
Permalink
Hi Dinesh,

In that case I suggest you start by reading: http://man7.org/linux/man-pages/man7/keyrings.7.html

What does cat /proc/keys say?

-Sietse

-----Original Message-----
From: systemd-devel <systemd-devel-***@lists.freedesktop.org> On Behalf Of Dinesh Prasanth Moluguwan Krishnamoorthy
Sent: Thursday, 6 December, 2018 23:38
To: Lennart Poettering <***@0pointer.de>
Cc: systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Lennart,

[***@localhost] $ keyctl list @u
1 key in keyring:
114920030: --alswrv 17 17 user: nuxwdog:user

That's the attrs of the created key.I'm not sure how to read these attributes, though.

Regards,
Dinesh

On Thu, 2018-12-06 at 14:38 +0100, Lennart Poettering wrote:
> On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (
> ***@redhat.com) wrote:
>
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC USER 2. In the `ExecStartPre`, I'm launching a subprocess
> > that invokes `systemd-ask-password` to accept the input and store it
> > in the USER's kernel keyring 3. In the main program started using
> > `ExecStart`, I'm accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works as expected! When I try to login as that specific user and do
> > a `keyctl show @u`, I find the entry.
> >
> > However, when I try to do `keyctl print <keyID>`, it throws
> > "Permission Denied" error. IIUC, this protects the keys in the
> > keyring from accessing outside the systemd service. Is it the
> > desired behaviour?
>
> Hmm, maybe use "keyctl list @u" to see the key and its access mode?
>
> Lennart
>
> --
> Lennart Poettering, Red Hat

_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-07 19:05:13 UTC
Permalink
On Fri, 2018-12-07 at 10:00 +0000, Sietse van Zanen wrote:
> Hi Dinesh,
>
> In that case I suggest you start by reading:
> http://man7.org/linux/man-pages/man7/keyrings.7.html

Thanks for this. It does provide quite a few info what I need! :)

>
> What does cat /proc/keys say?

There is no "nuxwdog:user" entry in it. May be possibly coz I'm using
this workaround?
https://github.com/systemd/systemd/issues/1232#issuecomment-367209577


Regards,
Dinesh

> -Sietse
>
> -----Original Message-----
> From: systemd-devel <systemd-devel-***@lists.freedesktop.org> On
> Behalf Of Dinesh Prasanth Moluguwan Krishnamoorthy
> Sent: Thursday, 6 December, 2018 23:38
> To: Lennart Poettering <***@0pointer.de>
> Cc: systemd-***@lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Lennart,
>
> [***@localhost] $ keyctl list @u
> 1 key in keyring:
> 114920030: --alswrv 17 17 user: nuxwdog:user
>
> That's the attrs of the created key.I'm not sure how to read these
> attributes, though.
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 14:38 +0100, Lennart Poettering wrote:
> > On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (
> > ***@redhat.com) wrote:
> >
> > > Hi team,
> > >
> > > I'm working on accessing kernel keyring in my application
> > > started
> > > using systemd.
> > >
> > > The list of steps I'm doing:
> > >
> > > 1. Starting a systemd service with `KeyringMode=shared` as a
> > > SPECIFIC USER 2. In the `ExecStartPre`, I'm launching a
> > > subprocess
> > > that invokes `systemd-ask-password` to accept the input and store
> > > it
> > > in the USER's kernel keyring 3. In the main program started
> > > using
> > > `ExecStart`, I'm accessing the value stored in the keyring
> > >
> > > I'm able to access the values from my main program -- everything
> > > works as expected! When I try to login as that specific user and
> > > do
> > > a `keyctl show @u`, I find the entry.
> > >
> > > However, when I try to do `keyctl print <keyID>`, it throws
> > > "Permission Denied" error. IIUC, this protects the keys in the
> > > keyring from accessing outside the systemd service. Is it the
> > > desired behaviour?
> >
> > Hmm, maybe use "keyctl list @u" to see the key and its access mode?
> >
> > Lennart
> >
> > --
> > Lennart Poettering, Red Hat
>
> _______________________________________________
> systemd-devel mailing list
> systemd-***@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart Poettering
2018-12-07 11:41:02 UTC
Permalink
On Do, 06.12.18 14:37, Dinesh Prasanth Moluguwan Krishnamoorthy (***@redhat.com) wrote:

> Hi Lennart,
>
> [***@localhost] $ keyctl list @u
> 1 key in keyring:
> 114920030: --alswrv 17 17 user: nuxwdog:user
>
> That's the attrs of the created key.I'm not sure how to read these
> attributes, though.

Hmm, maybe you have selinux on? Consider turning it off. keys carry
labels.

Lennart

--
Lennart Poettering, Red Hat
Continue reading on narkive:
Loading...