13.06.2019 11:11, Josef Moellers пишет: > On 12.06.19 17:34, Andrei Borzenkov wrote: ... >> >> If I add pam_keyinit to systemd-user, I do get session keyring for gnome >> terminal, but this is really wrong one: >> >> bor@10:~> cat /proc/keys >> 2133e406 I--Q--- 2 perm 1f3f0000 1000 65534 keyring _uid.1000: empty >> 2aeff9b2 I--Q--- 67 perm 3f030000 1000 100 keyring _ses: 1 >> 3c18175c I--Q--- 93 perm 3f030000 1000 100 keyring _ses: 1 >> bor@10:~> keyctl show -x >> Session Keyring >> 0x2aeff9b2 --alswrv 1000 100 keyring: _ses >> 0x2133e406 --alswrv 1000 65534 \_ keyring: _uid.1000 >> bor@10:~> > > Not really ... if you look at the keyring IDs (in the first column) eg > in a gnome-terminal and in an xterm, you will see that both session > keyrings (the "session keyring" in the xterm and the "user session > keyring" in the gnome-terminal) link to the very same "user keyring": >
I did not say "user keyring", I said "session keyring". Session keyring is different. bor@10:~> keyctl show -x Session Keyring 0x21a25f31 --alswrv 1000 65534 keyring: _uid_ses.1000 0x25f5781a --alswrv 1000 65534 \_ keyring: _uid.1000 bor@10:~> bor@10:~> keyctl show -x Session Keyring 0x279c03fc --alswrv 1000 100 keyring: _ses 0x25f5781a --alswrv 1000 65534 \_ keyring: _uid.1000 bor@10:~> > Leap-15.1: > ssh: > Keyring > 69871887 --alswrv 1000 100 keyring: _ses > 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000 > -> Session Keyring (_ses) linked to User Keyring (_uid.<UID>) > > gnome-terminal(-server): > Keyring > 219457014 --alswrv 1000 65534 keyring: _uid_ses.1000 > 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000 > -> User Session Keyring (_uid_ses.<UID>) linked to User Keyring (_uid.<UID>) > User Keyring is identical with User Keyring in ssh > > xterm: > Keyring > 633373159 --alswrv 1000 100 keyring: _ses > 105956722 --alswrv 1000 65534 \_ keyring: _uid.1000 > > All three share the same "user keyring" with ID 105956722! > This is the single keyring the kernel maintains for the user ID 1000. > Your question was about session keyring, not about user keyring. >> so now there are two session keyrings, some of processes (that for all >> practical purposes *do* belong to the same user session) are attached to >> one keyring, some to the other. Which makes it impossible to actually >> use session keyring to share keys. > > If keys are attached to the "user keyring", then, indeed, they can (and > will) be shared as shown above! > And? That's what you have been told from the very beginning. ... > > TL;DR > The addition of "session optional pam_keyinit.so force revoke" to > /etc/pam.d/systemd-user seems to fix my problem. At this point I lost track what problem you solve. You still have two processes in user login session (graphical environment) that attach different session keyring. To quote: "We have seen this problem: when you open a gnome-terminal, then the shell in that terminal will not have the same keyring (created by pam_keyinit.so) as the one eg in an xterm." Adding pam_keyring.so to systemd-user pam configuration does *not* fix it in any way. > The only question which > remains is if this has any adverse consequences. > You cannot use session keyring to share keys between processes that user thinks as belonging to the same (login) session. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
