Re: [PATCH] keyrings: Allow searching the user session keyring

From: David Howells
Date: Tue Jun 14 2016 - 05:46:49 EST

Next message: Dongdong Liu: "Re: [RFC PATCH V2 1/2] ACPI/PCI: Match PCI config space accessors against platfrom specific ECAM quirks"
Previous message: tip-bot for Harvey Hunt: "[tip:irq/urgent] irqchip/mips-gic: Fix IRQs in gic_dev_domain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gwendal Grignou <gwendal@xxxxxxxxxxxx> wrote:

> Currently, if a session keyring exists, we are not searching in the
> user session or user keyrings.

That is correct. New session keyrings are given a link to the user session if
created by pam_keyinit. If you don't want to search the user keyring, you can
just unlink it from your session keyring.

The user-session keyring is a fallback keyring in case there's no session
keyring. It seemed to make things easier at the time, but it shouldn't really
exist and I would deprecate it and remove it if I could - especially now that
persistent keyrings exist. The uid 0 user-session keyring is a potential
security hole because it allows implicit sharing of authentication data
between daemon processes.

David

Next message: Dongdong Liu: "Re: [RFC PATCH V2 1/2] ACPI/PCI: Match PCI config space accessors against platfrom specific ECAM quirks"
Previous message: tip-bot for Harvey Hunt: "[tip:irq/urgent] irqchip/mips-gic: Fix IRQs in gic_dev_domain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]