Re: [PATCH] keyrings: Allow searching the user session keyring
From: David Howells
Date: Tue Jun 14 2016 - 05:46:49 EST
Gwendal Grignou <gwendal@xxxxxxxxxxxx> wrote:
> Currently, if a session keyring exists, we are not searching in the
> user session or user keyrings.
That is correct. New session keyrings are given a link to the user session if
created by pam_keyinit. If you don't want to search the user keyring, you can
just unlink it from your session keyring.
The user-session keyring is a fallback keyring in case there's no session
keyring. It seemed to make things easier at the time, but it shouldn't really
exist and I would deprecate it and remove it if I could - especially now that
persistent keyrings exist. The uid 0 user-session keyring is a potential
security hole because it allows implicit sharing of authentication data
between daemon processes.
David