Alon,
The documentation you are looking for can be found in the kernel source with
the following path Documentation/keys.txt. The keyutils package is an
interface to the kernel key ring which stores keys. The keyring was
designed for keys that are cached for file systems and other os services.
It is necessary to keep the key in memory unless a TPM is used, but it is
protected with sufficient access permissions. Here is what the kerenl
documentation says about access permissions.
======================
KEY ACCESS PERMISSIONS
======================
Keys have an owner user ID, a group access ID, and a permissions mask. The
mask
has up to eight bits each for possessor, user, group and other access. Only
six of each set of eight bits are defined. These permissions granted are:
(*) View
This permits a key or keyring's attributes to be viewed - including key
type and description.
(*) Read
This permits a key's payload to be viewed or a keyring's list of linked
keys.
(*) Write
This permits a key's payload to be instantiated or updated, or it
allows a
link to be added to or removed from a keyring.
(*) Search
This permits keyrings to be searched and keys to be found. Searches can
only recurse into nested keyrings that have search permission set.
(*) Link
This permits a key or keyring to be linked to. To create a link from a
keyring to a key, a process must have Write permission on the keyring
and
Link permission on the key.
(*) Set Attribute
This permits a key's UID, GID and permissions mask to be changed.
For changing the ownership, group ID or permissions mask, being the owner of
the key or having the sysadmin capability is sufficient.
Trevor
On 10/14/07, Alon Bar-Lev <[EMAIL PROTECTED]> wrote:
>
> Hello Michael,
>
> I asked this in the past but not got a reply regarding this... This is
> part of my stupid questions...
>
> If I understand correctly, whatever user put in key store he can read it.
>
> So putting passphrase or any sensitive information in the key store is
> very problematic.
>
> I guess I miss something, but if I am not, the configuration of
> ssh-agent is much better, as whatever put into the agent cannot be
> read.
>
> Do I miss something?
>
> Best Regards,
> Alon Bar-Lev.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> eCryptfs-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
eCryptfs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
